lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <8B32EDC90D8F4E4AB40918883281874D273C7F@pivxwin2k1.secnet.pivx.com>
Date: Tue, 30 Dec 2003 13:50:27 -0800
From: <tlarholm@...x.com>
To: <deane@...nebarker.net>, <bugtraq@...urityfocus.com>
Cc: <ntbugtraq@...tserv.ntbugtraq.com>
Subject: RE: IE 5.22 on Mac Transmitting HTTP Referer from Secure Page


This applies to ALL versions of Internet Explorer on all systems, though
IE on Windows require that the HTTPS site is left through a redirection.
I verified this on IE 5, 5.5, 6 and 6SP1.

As an easily demonstrated example, open your Windows IE and go to

https://login.yahoo.com/config/login

then to verify that no referer is typically sent (the expected behavior)
write the following in your Address Bar

javascript:document.links[0].href="http://pivx.com/larholm/test/referer.
php";document.links[0].click();void(0)

If you want to see the referer being sent from https://login.yahoo.com
to http://pivx.com write the following

javascript:document.links[0].href="https://us.rd.yahoo.com/reg/sihflib/*
http://pivx.com/larholm/test/referer.php";document.links[0].click();void
(0)

The redirect script has to be on the same domain. It is not uncommon to
see redirectors on sites protected by SSL, most typically webmail
implementations.

Lots of other browsers have been vulnerable to this, including Netscape
4 and Opera.


Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@...x.com
949-231-8496

PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix
<http://www.qwik-fix.net> 


-----Original Message-----
From: deane@...nebarker.net [mailto:deane@...nebarker.net] 
Sent: Wednesday, December 24, 2003 8:16 AM
To: bugtraq@...urityfocus.com
Subject: IE 5.22 on Mac Transmitting HTTP Referer from Secure Page




Documented instance of Internet Explorer 5.22 on a Mac transmitting an
HTTP Referer header from a link on a secure page (https):

http://www.gadgetopia.com/2003/12/23/OutlookWebAccessPrivacyHole.html

This is clearly covered in the HTTP 1.1 spec (RFC 2616), Section 15.1.3,
"Encoding Sensitive Information in URI's":

"Clients SHOULD NOT include a Referer header field in a (non-secure)
HTTP request if the referring page was transferred with a secure
protocol."


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ