Home page logo

bugtraq logo Bugtraq mailing list archives

Re: recent 'cross site scripting' CERT advisory
From: greg () NEST CX (Gregory Steuck)
Date: Tue, 8 Feb 2000 23:52:07 -0800

"Henri" == Henri Torgemane <metal_hurlant () YAHOO COM> writes:

    Henri> But if it is done right (i.e.: you're explicitely specifying
    Henri> which files don't need a REFERRER check, rather than trying
    Henri> to keep a list of every script that needs it), I believe it
    Henri> can provide instant CSS protection without having to audit
    Henri> all these server scripts right away.

While we are at it, let's not forget that Referer is a privacy breach on
it own. And those who use junkbuster never send referer headers.  So be
careful when recommending referer as a remedy, it might hit security
conscious types.


P.S. Yeah, one can configure junkbuster to send referer header to certain
sites but it's a hassle.

  By Date           By Thread  

Current thread:
  • Re: recent 'cross site scripting' CERT advisory Gregory Steuck (Feb 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]