[13781] in bugtraq
Re: recent 'cross site scripting' CERT advisory
daemon@ATHENA.MIT.EDU (Gregory Steuck)
Wed Feb 9 11:04:36 2000
Mime-Version: 1.0 (generated by tm-edit 7.108)
Content-Type: text/plain; charset=US-ASCII
Message-Id: <8666vybyoo.fsf@home.nest.cx>
Date: Tue, 8 Feb 2000 23:52:07 -0800
Reply-To: Gregory Steuck <greg@NEST.CX>
From: Gregory Steuck <greg@NEST.CX>
X-To: Henri Torgemane <metal_hurlant@YAHOO.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Henri Torgemane's message of "Tue, 8 Feb 2000 14:07:11 -0800"
>>>>> "Henri" == Henri Torgemane <metal_hurlant@YAHOO.COM> writes:
Henri> But if it is done right (i.e.: you're explicitely specifying
Henri> which files don't need a REFERRER check, rather than trying
Henri> to keep a list of every script that needs it), I believe it
Henri> can provide instant CSS protection without having to audit
Henri> all these server scripts right away.
While we are at it, let's not forget that Referer is a privacy breach on
it own. And those who use junkbuster never send referer headers. So be
careful when recommending referer as a remedy, it might hit security
conscious types.
Bye
Greg
P.S. Yeah, one can configure junkbuster to send referer header to certain
sites but it's a hassle.
