Vulnerability Development mailing list archives
Re: Q: How to strip http-referer field?
From: Blue Boar <BlueBoar () THIEVCO COM>
Date: Wed, 6 Sep 2000 22:50:46 -0700
Lincoln Yeoh wrote:
Hi, Say I have a web mail/messaging program that allows viewing of html ( yes I know that's not so safe but y'know how it is). Currently I translate all links to point to a custom fastcgi perl script which 302 redirects the user if urls are ok looking but displays an error page if there are GET style parameters or other weird stuff in the URL (file://...), with a click option to the offending URL if the user is brave enough. Yes this breaks inline images with funny urls, but erm so far no complaints ;).
There has been a lot of discussion about how to squeeze "bad" stuff past these kinds of filters. Do you handle all the stuff that has been identified so far? Javascript seems to be the biggest worry at present.
Question is: would it be worth stripping out the http-referer when the user retrieves foreign links from the displayed html page (either directly or via img src or other means).
Most likely. Many web-mail programs use GET methods to switch between screens, and unfortunately put sensitive info the in URLs they GET, enough to authenticate as the users, if the attacker is quick enough. If you don't strip the referrer stuff, your URL will show up in my web logs.
If it's worth it, any ideas how to do it reliably? Currently most browsers still maintain the old referer field value past any 302 redirects.
Sorry.. your question implied that you had a proxy in place to do this. If not, how about popping some innocuous page first, that has a client-side pull to do the real GET?
Proxying and fetching the actual content would be too resource intensive. The main trouble is these img src links, html could be done by a meta refresh page. I suppose I would have to make sure that a very boring url is used to view the HTML message?
Or just use PUT instead of GET for your mail processing.
Cheerio, Link. p.s. Yes it should be spelt referrer.
Yup. Fun little spelling error that made it into the official spec. BB
Current thread:
- Q: How to strip http-referer field? Lincoln Yeoh (Sep 06)
- Re: Q: How to strip http-referer field? Blue Boar (Sep 06)
- Re: How to strip http-referer field? Domenico De Vitto (Sep 12)