Bugtraq mailing list archives
Re: The Dangers of Allowing Users to Post Images
From: Henrik Nordstrom <hno () hem passagen se>
Date: Tue, 19 Jun 2001 15:44:10 +0200
peterw () usa net wrote:
Folks are missing the point on the Referer check that I suggested.
I intentionally selected to not go down that path in my message as there are quite a bit of pitfalls with Referer, and it can easily be misunderstood allowing the application designer falsely think they have done a secure design using Referer. Also, as shown earlier in the thread, using Referer may render the service less useful for some people. There are people who filter out Referer from their HTTP traffic becuase there is too many bugs in user-agents showing Referer to things it should not expose externally. Referer is meant to be a statistics & diagnostics tool allowing you to find how your site is referenced, not a security measure. Because of this is is not a required property of HTTP that there is a Referer header when the user follows a link or submits a form. -- Henrik Nordstrom Squid HTTP proxy developer
Current thread:
- The Dangers of Allowing Users to Post Images John Percival (Jun 14)
- Re: The Dangers of Allowing Users to Post Images Sverre H. Huseby (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Tim Nowaczyk (Jun 16)
- Re: The Dangers of Allowing Users to Post Images Henrik Nordstrom (Jun 18)
- Re: The Dangers of Allowing Users to Post Images peterw (Jun 19)
- Re: The Dangers of Allowing Users to Post Images Henrik Nordstrom (Jun 19)
- Re: never-ending Referer arguments (The Dangers of Allowing Users to Post Images) Peter W (Jun 19)
- Re: [BUGTRAQ] Re: never-ending Referer arguments (The Dangers of Allowing Users to Post Images) CDI (Jun 22)
- Re: The Dangers of Allowing Users to Post Images Tim Nowaczyk (Jun 16)
- Re: The Dangers of Allowing Users to Post Images John Percival (Jun 22)
- Re: The Dangers of Allowing Users to Post Images Michal Szokolo (Jun 24)
- Re: The Dangers of Allowing Users to Post Images Travis Siegel (Jun 25)
- Re: The Dangers of Allowing Users to Post Images Sverre H. Huseby (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Jeffrey W. Baker (Jun 25)
- Re: The Dangers of Allowing Users to Post Images Sverre H. Huseby (Jun 19)
- Re: The Dangers of Allowing Users to Post Images Henrik Nordstrom (Jun 19)
- Re: The Dangers of Allowing Users to Post Images Brett Lymn (Jun 18)