lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 21 Mar 2003 19:59:38 -0800
From: "Kurt Seifried" <kurt@...fried.org>
To: <full-disclosure@...ts.netsys.com>
Cc: <bugtraq@...urityfocus.com>
Subject: Re: CERT: Vulnerability in web redirectors


Like hack4life stated this is a pretty well known problem. Solving it isn't
to hard. Legitimate clients will send an HTTP referer, thus for some
unsuspecting user who clicks on a redirect link in an email they will send a
blank referer, or off a website that referer. So simply add some logic in
your script to check the referer, a quick and dirty in php for example (yes,
this code is horrible and ugly, but it's a reasonably clear example):

<HTML>
<HEAD>
<TITLE>You are now leaving example.org</TITLE>
<?php
if (preg_match ("/example\.org\//i", $_SERVER["HTTP_REFERER"] )) {

  print "<META http-equiv=\"refresh\" content=\"1;URL=";
  echo $_SERVER["QUERY_STRING"];
  print "\">";
  print "</HEAD>";
  print "<BODY bgcolor=\"#ffffff\">";
  print "<P>[1] Redirecting you to:";
  print "<A HREF=\"";
  echo $_SERVER["QUERY_STRING"];
  print "\">";
  echo $_SERVER["QUERY_STRING"];
  print "</A>, if it doesn't work click on the link.</P>";
  print "<P>";
  echo $_SERVER["HTTP_REFERER"];
  print "</P>";
} else {
  print "</HEAD>";
  print "<BODY bgcolor=\"#ffffff\">";
  print "<P>Someone has tried to use this site's web redirector in an
attempt to make a link appear legitimate.</P>";
}
?>

Obviously this is not bullet proof, anyone who hacks their client to send
fake referer's can get around it, but then we aren't trying to block that
kind of person, we're simply trying to prevent widespread abuse by a
spammer/etc.


Kurt Seifried, kurt@...fried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ