| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun Aug 7 15:44:27 2005 From: ripemd160 at gmail.com (Ripe Md) Subject: Referers Are Evil With referers (HTTP_REFERER) it is easy to takeover sessions in some Web applications Forums (phpBB) and so far. If an user of such an application doesn't allow the use of cookies, the session informations are mostly transportet over the URL. If somebody else places a Hyperlink for example in a Forum which points to a server, which other person owns, the other person, has just to read the referer log of this server. The same problem occurs also in Forums, which allow the including of external pictures for example with the [IMG]-BB-Tag. Work-Around: On the Clientside: Disable the sending of the Referer in the Browser. On the Serverside: for Links: - Use An URL Database, and store all Hyperlinks of your users in it. - Make an Link exit page, which doesn't include any sensitive Information. For Pictures: - Just don't allow users to include externl pictures. Or your Application should just be accessible via the use of Cookies. Sincerely ~ RIPEMD160
Powered by blists - more mailing lists