Bugtraq mailing list archives
Re: never-ending Referer arguments (The Dangers of Allowing Users to Post Images)
From: Peter W <peterw () usa net>
Date: Tue, 19 Jun 2001 12:47:12 -0400
On Tue, Jun 19, 2001 at 03:44:10PM +0200, Henrik Nordstrom wrote:
peterw () usa net wrote:Folks are missing the point on the Referer check that I suggested.I intentionally selected to not go down that path in my message as there are quite a bit of pitfalls with Referer, and it can easily be misunderstood allowing the application designer falsely think they have done a secure design using Referer.
Henrik, You also revealed your lack of understanding the Referer check logic when you wrote "It is well known that Referer can be forged, and to further add to this some browsers preserve Referer when following redirects, allowing this kind of attacks to bypass any Referer check if your users follows URL's (direct or indirect via images) posted by other users or even your own staff when linking to external sites." Neither forging Referers nor preserving Referers across redirects threatens the model I suggested.
Also, as shown earlier in the thread, using Referer may render the service less useful for some people. There are people who filter out Referer from their HTTP traffic becuase there is too many bugs in user-agents showing Referer to things it should not expose externally.
I mentioned that myself, as you may recall. As for recommending one-time tickets, we agree there. All this chatter about Referer checks amounts to two things: - some folks not understanding the model - folks legitiately disagreeing on the number of user who might be locked out by a Referer check. -Peter Web applications designer and Squid user :-)
Current thread:
- The Dangers of Allowing Users to Post Images John Percival (Jun 14)
- Re: The Dangers of Allowing Users to Post Images Sverre H. Huseby (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Tim Nowaczyk (Jun 16)
- Re: The Dangers of Allowing Users to Post Images Henrik Nordstrom (Jun 18)
- Re: The Dangers of Allowing Users to Post Images peterw (Jun 19)
- Re: The Dangers of Allowing Users to Post Images Henrik Nordstrom (Jun 19)
- Re: never-ending Referer arguments (The Dangers of Allowing Users to Post Images) Peter W (Jun 19)
- Re: [BUGTRAQ] Re: never-ending Referer arguments (The Dangers of Allowing Users to Post Images) CDI (Jun 22)
- Re: The Dangers of Allowing Users to Post Images Tim Nowaczyk (Jun 16)
- Re: The Dangers of Allowing Users to Post Images John Percival (Jun 22)
- Re: The Dangers of Allowing Users to Post Images Michal Szokolo (Jun 24)
- Re: The Dangers of Allowing Users to Post Images Travis Siegel (Jun 25)
- Re: The Dangers of Allowing Users to Post Images Sverre H. Huseby (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Jeffrey W. Baker (Jun 25)
- Re: The Dangers of Allowing Users to Post Images Sverre H. Huseby (Jun 19)
- Re: The Dangers of Allowing Users to Post Images Henrik Nordstrom (Jun 19)
- Re: The Dangers of Allowing Users to Post Images Brett Lymn (Jun 18)
- Re: The Dangers of Allowing Users to Post Images Marc Slemko (Jun 16)