[21106] in bugtraq
Re: never-ending Referer arguments (The Dangers of Allowing Users to Post Images)
daemon@ATHENA.MIT.EDU (Peter W)
Tue Jun 19 17:07:29 2001
Date: Tue, 19 Jun 2001 12:47:12 -0400
From: Peter W <peterw@usa.net>
To: Henrik Nordstrom <hno@hem.passagen.se>
Cc: bugtraq@securityfocus.com
Message-ID: <20010619124712.C630@usa.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3B2F572A.2542C8DB@hem.passagen.se>; from hno@hem.passagen.se on Tue, Jun 19, 2001 at 03:44:10PM +0200
On Tue, Jun 19, 2001 at 03:44:10PM +0200, Henrik Nordstrom wrote:
> peterw@usa.net wrote:
>
> > Folks are missing the point on the Referer check that I suggested.
>
> I intentionally selected to not go down that path in my message as there
> are quite a bit of pitfalls with Referer, and it can easily be
> misunderstood allowing the application designer falsely think they have
> done a secure design using Referer.
Henrik,
You also revealed your lack of understanding the Referer check logic when
you wrote "It is well known that Referer can be forged, and to further add
to this some browsers preserve Referer when following redirects, allowing
this kind of attacks to bypass any Referer check if your users follows URL's
(direct or indirect via images) posted by other users or even your own staff
when linking to external sites." Neither forging Referers nor preserving
Referers across redirects threatens the model I suggested.
> Also, as shown earlier in the thread, using Referer may render the
> service less useful for some people. There are people who filter out
> Referer from their HTTP traffic becuase there is too many bugs in
> user-agents showing Referer to things it should not expose externally.
I mentioned that myself, as you may recall.
As for recommending one-time tickets, we agree there.
All this chatter about Referer checks amounts to two things:
- some folks not understanding the model
- folks legitiately disagreeing on the number of user who might be
locked out by a Referer check.
-Peter
Web applications designer and Squid user :-)
