Home page logo

bugtraq logo Bugtraq mailing list archives

Re: The Dangers of Allowing Users to Post Images
From: Henrik Nordstrom <hno () hem passagen se>
Date: Tue, 19 Jun 2001 15:32:01 +0200

Sverre H. Huseby wrote:

There are, of course, no reason to add a ticket to off-site links.
The tickets are only understandable by our web application.

Tickets should only be tied to actions that have side effects on our
server (for which GET may be Wrong Thing anyway).  If this principle
is followed, I can't see how anyone would be able to pick up Referers
containing tickets without having access to our server.  Please
enlighten me if I've misunderstood anything here.

If the your page for some reasons references an external object (page,
image or whatever) then this external object will get the refeferer
header indicating the full URL of your page. If this URL (the URL of
your page) includes the users ticket then the ticket is exposed to that
external object.

From this simple reason, my the guideline is to never include tickets in
URL's. Always pass them around using (hidden) form fields sent via POST.

Henrik Nordstrom
Squid HTTP proxy developer

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]