[21101] in bugtraq
Re: The Dangers of Allowing Users to Post Images
daemon@ATHENA.MIT.EDU (Sverre H. Huseby)
Tue Jun 19 15:56:57 2001
Date: Tue, 19 Jun 2001 09:01:18 +0200
From: "Sverre H. Huseby" <shh@thathost.com>
To: Henrik Nordstrom <hno@hem.passagen.se>
Cc: Tim Nowaczyk <zimage@upl.cs.wisc.edu>, bugtraq@securityfocus.com
Message-ID: <20010619090118.Z24925@thathost.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3B2BF7FF.2DA8F4D7@hem.passagen.se>; from hno@hem.passagen.se on Sun, Jun 17, 2001 at 02:21:19AM +0200
(First, thanks a _lot_ for Squid, Henrik!)
[Henrik Nordstrom]
| Further, if you pass around the ticket in URLs then this class of
| attacks will also have full access to the ticket from the referer
| URL, so if you only base your security on these two measurements
| (client IP + ticket present in the URL) then your are most likely
| at risk here.
There are, of course, no reason to add a ticket to off-site links.
The tickets are only understandable by our web application.
Tickets should only be tied to actions that have side effects on our
server (for which GET may be Wrong Thing anyway). If this principle
is followed, I can't see how anyone would be able to pick up Referers
containing tickets without having access to our server. Please
enlighten me if I've misunderstood anything here.
Sverre.
--
<URL:mailto:shh@thathost.com>
<URL:http://shh.thathost.com/>
