Full Disclosure mailing list archives
Referers Are Evil
From: Ripe Md <ripemd160 () gmail com>
Date: Sun, 7 Aug 2005 16:44:21 +0200
With referers (HTTP_REFERER) it is easy to takeover sessions in some Web applications Forums (phpBB) and so far. If an user of such an application doesn't allow the use of cookies, the session informations are mostly transportet over the URL. If somebody else places a Hyperlink for example in a Forum which points to a server, which other person owns, the other person, has just to read the referer log of this server. The same problem occurs also in Forums, which allow the including of external pictures for example with the [IMG]-BB-Tag. Work-Around: On the Clientside: Disable the sending of the Referer in the Browser. On the Serverside: for Links: - Use An URL Database, and store all Hyperlinks of your users in it. - Make an Link exit page, which doesn't include any sensitive Information. For Pictures: - Just don't allow users to include externl pictures. Or your Application should just be accessible via the use of Cookies. Sincerely ~ RIPEMD160 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Referers Are Evil Ripe Md (Aug 07)
- Re: Referers Are Evil Bipin Gautam (Aug 07)
- Re: Referers Are Evil Vincent van Scherpenseel (Aug 07)
- Re: Referers Are Evil Nicolas Rachinsky (Aug 07)
- Re: Referers Are Evil Steve Friedl (Aug 07)
- Re: Referers Are Evil Tim (Aug 07)
- Re: Referers Are Evil Vincent van Scherpenseel (Aug 07)
- Re: Referers Are Evil Bipin Gautam (Aug 07)