Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: The Dangers of Allowing Users to Post Images

From: Henrik Nordstrom <hno () hem passagen se>
Date: Tue, 19 Jun 2001 15:32:01 +0200
Sverre H. Huseby wrote:


There are, of course, no reason to add a ticket to off-site links.
The tickets are only understandable by our web application.

Tickets should only be tied to actions that have side effects on our
server (for which GET may be Wrong Thing anyway).  If this principle
is followed, I can't see how anyone would be able to pick up Referers
containing tickets without having access to our server.  Please
enlighten me if I've misunderstood anything here.


If the your page for some reasons references an external object (page,
image or whatever) then this external object will get the refeferer
header indicating the full URL of your page. If this URL (the URL of
your page) includes the users ticket then the ticket is exposed to that
external object.


From this simple reason, my the guideline is to never include tickets in

URL's. Always pass them around using (hidden) form fields sent via POST.

--
Henrik Nordstrom
Squid HTTP proxy developer
Previous By Date Next
Previous By Thread Next

Current thread: