Re: Netscape Referer header considered harmful?

[hallam () AI MIT EDU (Phillip M Hallam-Baker)]

 Maybe, but lets hope that Netscape does not tsake this as
indicating it isn't a bug, it is.

-----Original Message-----
From: Crewdson, Andy <crewdsoa () MAGIC DCRT NIH GOV>
To: BUGTRAQ () NETSPACE ORG <BUGTRAQ () NETSPACE ORG>
Date: 07 August 1997 09:44
Subject: Re: Netscape Referer header considered harmful?



In response to your question about when the HTTP_REFERER with the
"file:///" string is sent:

In Netscape Communicator 4.01a (NT4), the value is present in
HTTP_REFERER only when the user clicks on the link in their bookmark.htm
file.  The "file:///" referer value is not passed when they choose a
bookmark from the Bookmarks menu.  A link chosen from the Bookmarks menu
sends an empty HTTP_REFERER value.


andy

        -----Original Message-----
        From:   Ronald L. Parker [SMTP:ron () FARMWORKS COM]
        Sent:   Monday, August 04, 1997 11:10 AM
        To:     BUGTRAQ () NETSPACE ORG
        Subject:        Netscape Referer header considered harmful?

        -----BEGIN PGP SIGNED MESSAGE-----

        I found something I consider mildly disturbing while browsing my
        referer log stats today.  Viewers to our site today have been
referred
        from the following URLs:


file:///Hard%20Disk/System%20Folder/Preferences/Netscape%20%C4/Bookmar
        s.html
        file:C:\NETSCAPE\COMM\PROGRAM\USERS\DEFAULT\BOOKMARK.HTM
        file:///molly's%20bookmarks/molly's%20bookmarks

        As you can see, this is a cross-platform problem.  What I don't
know
        is whether these were sent by people just picking the bookmark
from
        the dropdown or by people using their bookmarks file as a home
page.
        Not having Communicator myself, and not planning to get it any
time
        soon, I can't test this.  In any case, file: URLs should be
private.

        The last one is particularly interesting, given that it can be
        correlated with an IP address.  I don't know what you call your
        bookmarks, but mine are called "Ron Parker's Bookmarks," based
(I
        think) on my identity as told to the mail/news subsystem.  So,
had I
        been cutting-edge enough to use Netscape 4.0, I would now be
telling
        my full name to every site in my bookmarks file.

        Of course, this can also lead to my knowing into exactly which
        directory you've installed Communicator.  This could be useful
        information as well, and could help to mount an attack on your
        private email or the list of newsgroups to which you subscribe.

        In addition, again given that I have your IP address to work
with, I
        might now know something about the internal network structure of
your
        organization (not exemplified by any of the above sites, but
think
        about where you would store your bookmarks if you were using a
        diskless workstation.  Would you be giving me a machine name or
just a
        drive letter?)  This information could be invaluable as part of
an
        attempt to bypass your firewall.

        - --
        Ron Parker
        Webmaster
        Farm Works Software       Come see us at
http://www.farmworks.com
        For PGP public key see
http://www.farmworks.com/Ron_Parker_PGP_key.txt
        -----BEGIN PGP SIGNATURE-----
        Version: PGP for Personal Privacy 5.0
        Charset: noconv

        iQB1AwUBM+Xuhdn/ugmVuayZAQFrUwL+LUeoDc/P6ukxNfaNLP88ttXj9HiTAopa
        eL9Dab+v8njn94pEwsZls3Qkee3cfedFDsOEZzdNN1bCck6wWoKZtnaQVT8JnDax
        tamq9gMzB0RMxuQFnyt0J6SCOaHpL0Kt
        =PFqq
        -----END PGP SIGNATURE-----