Bugtraq mailing list archives
Re: The Dangers of Allowing Users to Post Images
From: Henrik Nordstrom <hno () hem passagen se>
Date: Tue, 19 Jun 2001 15:32:01 +0200
Sverre H. Huseby wrote:
There are, of course, no reason to add a ticket to off-site links. The tickets are only understandable by our web application. Tickets should only be tied to actions that have side effects on our server (for which GET may be Wrong Thing anyway). If this principle is followed, I can't see how anyone would be able to pick up Referers containing tickets without having access to our server. Please enlighten me if I've misunderstood anything here.
If the your page for some reasons references an external object (page, image or whatever) then this external object will get the refeferer header indicating the full URL of your page. If this URL (the URL of your page) includes the users ticket then the ticket is exposed to that external object.
From this simple reason, my the guideline is to never include tickets in
URL's. Always pass them around using (hidden) form fields sent via POST. -- Henrik Nordstrom Squid HTTP proxy developer
Current thread:
- Re: The Dangers of Allowing Users to Post Images, (continued)
- Re: The Dangers of Allowing Users to Post Images Henrik Nordstrom (Jun 18)
- Re: The Dangers of Allowing Users to Post Images peterw (Jun 19)
- Re: The Dangers of Allowing Users to Post Images Henrik Nordstrom (Jun 19)
- Re: never-ending Referer arguments (The Dangers of Allowing Users to Post Images) Peter W (Jun 19)
- Re: [BUGTRAQ] Re: never-ending Referer arguments (The Dangers of Allowing Users to Post Images) CDI (Jun 22)
- Re: The Dangers of Allowing Users to Post Images John Percival (Jun 22)
- Re: The Dangers of Allowing Users to Post Images Michal Szokolo (Jun 24)
- Re: The Dangers of Allowing Users to Post Images Travis Siegel (Jun 25)
- Re: The Dangers of Allowing Users to Post Images Jeffrey W. Baker (Jun 25)
- Re: The Dangers of Allowing Users to Post Images Sverre H. Huseby (Jun 19)
- Re: The Dangers of Allowing Users to Post Images Henrik Nordstrom (Jun 19)
- Re: The Dangers of Allowing Users to Post Images Brett Lymn (Jun 18)
- Re: The Dangers of Allowing Users to Post Images Marc Slemko (Jun 16)
- Re[2]: The Dangers of Allowing Users to Post Images Alexander K. Yezhov (Jun 16)