lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun Aug  7 19:27:26 2005
From: gautam.bipin at gmail.com (Bipin Gautam)
Subject: Referers Are Evil

this was my best kept secret!      (o;

BUT, i remember testing it on PHPBB back then, i don't think you can
take over the session on that! (i may be wrong). YAP, but there are
LOTS of sites & applications out there from which you can easily steal
away sessions.

On 8/7/05, Ripe Md <ripemd160@...il.com> wrote:
> With referers (HTTP_REFERER) it is easy to takeover sessions in some
> Web applications Forums (phpBB) and so far. If an user of such an
> application doesn't allow the use of cookies, the session informations
> are mostly transportet over the URL. If somebody else places a
> Hyperlink for example in a Forum which points to a server, which other
> person owns, the other person, has just to read the referer log of
> this server. The same problem occurs also in Forums, which allow the
> including of external pictures for example with the [IMG]-BB-Tag.
> 
> Work-Around:
> On the Clientside:
> Disable the sending of the Referer in the Browser.
> 
> On the Serverside:
> for Links:
> - Use An URL Database, and store all Hyperlinks of your users in it.
> - Make an Link exit page, which doesn't include any sensitive Information.
> For Pictures:
> - Just don't allow users to include externl pictures.
> Or your Application should just be accessible via the use of Cookies.
> 
> Sincerely
> 
> ~ RIPEMD160
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 


-- 
---
Bipin Gautam
http://bipin.tk

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ