lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon Aug  8 01:07:36 2005
From: brian at dessent.net (Brian Dessent)
Subject: Referers Are Evil

Ripe Md wrote:

> With referers (HTTP_REFERER) it is easy to takeover sessions in some
> Web applications Forums (phpBB) and so far.

The natural conclusion would be that storing such session information as
part of the URL is what is evil, not the concept of the referer.  It
also violates the ideal that URLs should be kept as short and simple as
is reasonable, and not contain long strings of unintelligible garbage.

In the same vein, most forum software fails to follow the guideline that
no HTTP GET should be able to cause a stateful change (such as deleting
a post), as was painfully demonstrated by the Google web accelerater
debacle.

Brian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ