[626] in WWW Security List Archive
Re: HTTP "Referer" field considered harmful
daemon@ATHENA.MIT.EDU (wmperry@spry.com)
Tue Apr 25 13:14:30 1995
From: wmperry@spry.com
Date: Tue, 25 Apr 95 06:47 PDT
To: Goran Oberg <Goran.Oberg@dc.luth.se>
Reply-to: wmperry@spry.com
Cc: wmperry@spry.com, Paul Phillips <psphilli@sdcc8.UCSD.EDU>,
www-security@ns2.rutgers.edu
In-Reply-To: <199504250807.AA01332@goliat.dc.luth.se>
Errors-To: owner-www-security@ns2.rutgers.edu
Goran Oberg writes:
>
> To omit everything after a question mark would not solve the problem. It
> could give a false sense of security and that's something I think we
> should try to stay clear of.
>
> In the case of SATAN it wouldn't do any good as SATAN URLs are in the
> form
> http://<localhost>:<unknown_high_port_number>/<unknown_magic_cookie>/<path>
> and would be revealed all the same. So anyone running SATAN using the
> WWW- interface shouldn't connect to other servers in the midst of a
> SATAN-session.
If its not using a form with method=get all the time, then you are right,
my solution wouldn't fix the problem.
This is what session-ID's/cookies will be good at solving. There is a
good discussion going on in www-talk about just this topic if anyone cares
to drop in.
> PS. s/SATAN/SANTA/g if ( $OFFENDED ); (-:
heh. What if santa offends me too? s/SANTA/NASTA/g ? :)
-Bill P.
