[21105] in bugtraq
Re: The Dangers of Allowing Users to Post Images
daemon@ATHENA.MIT.EDU (Henrik Nordstrom)
Tue Jun 19 16:52:49 2001
Message-ID: <3B2F5451.9AC88F@hem.passagen.se>
Date: Tue, 19 Jun 2001 15:32:01 +0200
From: Henrik Nordstrom <hno@hem.passagen.se>
MIME-Version: 1.0
To: "Sverre H. Huseby" <shh@thathost.com>
Cc: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sverre H. Huseby wrote:
> There are, of course, no reason to add a ticket to off-site links.
> The tickets are only understandable by our web application.
>
> Tickets should only be tied to actions that have side effects on our
> server (for which GET may be Wrong Thing anyway). If this principle
> is followed, I can't see how anyone would be able to pick up Referers
> containing tickets without having access to our server. Please
> enlighten me if I've misunderstood anything here.
If the your page for some reasons references an external object (page,
image or whatever) then this external object will get the refeferer
header indicating the full URL of your page. If this URL (the URL of
your page) includes the users ticket then the ticket is exposed to that
external object.
From this simple reason, my the guideline is to never include tickets in
URL's. Always pass them around using (hidden) form fields sent via POST.
--
Henrik Nordstrom
Squid HTTP proxy developer
