[4951] in WWW Security List Archive
Re: The GET vulnerability
daemon@ATHENA.MIT.EDU (Laurent Demailly)
Sat Mar 29 18:50:13 1997
Date: Sat, 29 Mar 1997 17:29:50 +0100
From: Laurent Demailly <dl@hplyot.obspm.fr>
To: Gary McGraw <gem@rstcorp.com>
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <199703281616.LAA10095@rstcorp.com>
Errors-To: owner-www-security@ns2.rutgers.edu
The risk is most probably so close to zero that this is a non issue
(for credit card, the issue is indeed rather for privacy when doing
searches... we have here an interesting collection of alta vista
searches referer that say much about people interest (as you might
expect: sex)).
Why it is not a problem for credit card: because all but prehistoric
(pre 1.0 netscape versions for instance...) browsers versions send
referer information only if you select a link on the page. and I doubt
any CC submital form/acknowledge would have a link to
external/dangerous site. (not counting that there is aslo probably
very little GET method used anymore for that kind of forms).
This does not mean CC use on the net is safe, but that particular
problem is not (imo) an issue.
Best regards
dl
--
Laurent Demailly * http://hplyot.obspm.fr/~dl/ * Pobox email: dl@mail.dotcom.fr
