Home page logo

bugtraq logo Bugtraq mailing list archives

Re: The Dangers of Allowing Users to Post Images
From: Peter W <peterw () usa net>
Date: Fri, 15 Jun 2001 16:33:25 -0400

On Thu, Jun 14, 2001 at 09:12:05PM -0400, Chris Lambert wrote:

would it be safe to check
that if a referer is present, it contains the sites' domain name,


but if it
isn't, it most likely wouldn't have been referenced in an <img> tag or
submitted via JavaScript?

You mean it's safe/legitimate? No. Client-pull META tags generate requests
without Referers, as I've said a couple times in this thread, and in
previous Bugtraq discussions, too. :-)

If you don't see the Referer, you can't trust the request. Your best bet is 
to lock out users who won't pass Referers.

Or at least, when you initialize a user session, note if they seem to be
passing Referer values. If they are, then you should certainly reject any
later request that seems to be theirs, but lacks a Referer header.

Note that in some cases, MSIE won't send a Referer if the TARGET of a link 
is a different window, or that used to be the case. 

This is messy.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]