Bugtraq mailing list archives

Re: The Dangers of Allowing Users to Post Images

From: "Sverre H. Huseby" <shh () thathost com>
Date: Tue, 19 Jun 2001 09:01:18 +0200

(First, thanks a _lot_ for Squid, Henrik!)

[Henrik Nordstrom]

|   Further, if you pass around the ticket in URLs then this class of
|   attacks will also have full access to the ticket from the referer
|   URL, so if you only base your security on these two measurements
|   (client IP + ticket present in the URL) then your are most likely
|   at risk here.

There are, of course, no reason to add a ticket to off-site links.
The tickets are only understandable by our web application.

Tickets should only be tied to actions that have side effects on our
server (for which GET may be Wrong Thing anyway).  If this principle
is followed, I can't see how anyone would be able to pick up Referers
containing tickets without having access to our server.  Please
enlighten me if I've misunderstood anything here.


Sverre.

-- 
<URL:mailto:shh () thathost com>
<URL:http://shh.thathost.com/>

Current thread:

Re: The Dangers of Allowing Users to Post Images, (continued)
- - Re: The Dangers of Allowing Users to Post Images Tim Nowaczyk (Jun 16)
    - Re: The Dangers of Allowing Users to Post Images Henrik Nordstrom (Jun 18)
    - Re: The Dangers of Allowing Users to Post Images peterw (Jun 19)
    - Re: The Dangers of Allowing Users to Post Images Henrik Nordstrom (Jun 19)
    - Re: never-ending Referer arguments (The Dangers of Allowing Users to Post Images) Peter W (Jun 19)
    - Re: [BUGTRAQ] Re: never-ending Referer arguments (The Dangers of Allowing Users to Post Images) CDI (Jun 22)
    - Re: The Dangers of Allowing Users to Post Images John Percival (Jun 22)
    - Re: The Dangers of Allowing Users to Post Images Michal Szokolo (Jun 24)
    - Re: The Dangers of Allowing Users to Post Images Travis Siegel (Jun 25)
    - Re: The Dangers of Allowing Users to Post Images Jeffrey W. Baker (Jun 25)
    - Re: The Dangers of Allowing Users to Post Images Sverre H. Huseby (Jun 19)
    - Re: The Dangers of Allowing Users to Post Images Henrik Nordstrom (Jun 19)
    - Re: The Dangers of Allowing Users to Post Images Brett Lymn (Jun 18)
- RE: The Dangers of Allowing Users to Post Images Richard M. Smith (Jun 15)
  - Re: The Dangers of Allowing Users to Post Images Marc Slemko (Jun 16)
  - Re[2]: The Dangers of Allowing Users to Post Images Alexander K. Yezhov (Jun 16)
- Re: The Dangers of Allowing Users to Post Images Ben Gollmer (Jun 15)
- Cross-Site Request Forgeries (Re: The Dangers of Allowing Users to Post Images) Peter W (Jun 15)
  - Re: Cross-Site Request Forgeries (Re: The Dangers of Allowing Users to Post Images) Chris Lambert (Jun 15)
    - Re: Cross-Site Request Forgeries (Re: The Dangers of Allowing Users to Post Images) Peter W (Jun 15)
- Re: The Dangers of Allowing Users to Post Images David Dreezer (Jun 15)

(Thread continues...)