Full Disclosure mailing list archives
Re: Referers Are Evil
From: Brian Dessent <brian () dessent net>
Date: Sun, 07 Aug 2005 17:10:42 -0700
Ripe Md wrote:
With referers (HTTP_REFERER) it is easy to takeover sessions in some Web applications Forums (phpBB) and so far.
The natural conclusion would be that storing such session information as part of the URL is what is evil, not the concept of the referer. It also violates the ideal that URLs should be kept as short and simple as is reasonable, and not contain long strings of unintelligible garbage. In the same vein, most forum software fails to follow the guideline that no HTTP GET should be able to cause a stateful change (such as deleting a post), as was painfully demonstrated by the Google web accelerater debacle. Brian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Referers Are Evil Ripe Md (Aug 07)
- Re: Referers Are Evil Bipin Gautam (Aug 07)
- Re: Referers Are Evil Vincent van Scherpenseel (Aug 07)
- Re: Referers Are Evil Nicolas Rachinsky (Aug 07)
- Re: Referers Are Evil Steve Friedl (Aug 07)
- Re: Referers Are Evil Tim (Aug 07)
- Re: Referers Are Evil Vincent van Scherpenseel (Aug 07)
- Re: Referers Are Evil Bipin Gautam (Aug 07)