Bugtraq mailing list archives
Re: The Dangers of Allowing Users to Post Images
From: Peter W <peterw () usa net>
Date: Fri, 15 Jun 2001 16:33:25 -0400
On Thu, Jun 14, 2001 at 09:12:05PM -0400, Chris Lambert wrote:
would it be safe to check that if a referer is present, it contains the sites' domain name,
Yes.
but if it isn't, it most likely wouldn't have been referenced in an <img> tag or submitted via JavaScript?
You mean it's safe/legitimate? No. Client-pull META tags generate requests without Referers, as I've said a couple times in this thread, and in previous Bugtraq discussions, too. :-) If you don't see the Referer, you can't trust the request. Your best bet is to lock out users who won't pass Referers. Or at least, when you initialize a user session, note if they seem to be passing Referer values. If they are, then you should certainly reject any later request that seems to be theirs, but lacks a Referer header. Note that in some cases, MSIE won't send a Referer if the TARGET of a link is a different window, or that used to be the case. This is messy. -Peter
Current thread:
- Re[2]: The Dangers of Allowing Users to Post Images, (continued)
- Re[2]: The Dangers of Allowing Users to Post Images Alexander K. Yezhov (Jun 16)
- Re: The Dangers of Allowing Users to Post Images Ben Gollmer (Jun 15)
- Cross-Site Request Forgeries (Re: The Dangers of Allowing Users to Post Images) Peter W (Jun 15)
- Re: The Dangers of Allowing Users to Post Images David Dreezer (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Chris Lambert (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Ryan Kennedy (Jun 16)
- Re: The Dangers of Allowing Users to Post Images Chris Lambert (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Chris Lambert (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Peter W (Jun 16)
- Message not available
- Message not available
- Re: The Dangers of Allowing Users to Post Images Jason Brooke (Jun 18)
- Re: The Dangers of Allowing Users to Post Images Peter W (Jun 16)