Bugtraq mailing list archives
Re: [BUGTRAQ] Re: never-ending Referer arguments (The Dangers of Allowing Users to Post Images)
From: CDI <cdi () thewebmasters net>
Date: Tue, 19 Jun 2001 15:07:39 -0700 (PDT)
On Tue, 19 Jun 2001, Peter W wrote:
On Tue, Jun 19, 2001 at 03:44:10PM +0200, Henrik Nordstrom wrote:peterw () usa net wrote:Folks are missing the point on the Referer check that I suggested.I intentionally selected to not go down that path in my message as there are quite a bit of pitfalls with Referer, and it can easily be misunderstood allowing the application designer falsely think they have done a secure design using Referer.Henrik, You also revealed your lack of understanding the Referer check logic when
Snide commentary aside, there seems to be a misunderstanding about Referers and their use in any type of validation or check. Let me see if I can make this as clear as possible: Using the referer for anything other than statistics gathering to show the marketing wonks who is linking to your site would be, and is, a mistake. Whether the referer exists or not, is correct or not, or is even the correct format for a URI should be completely irrelevant. If the referer is relevant in -any- way to the integrity of the data you are attempting to validate then your security model is broken.
All this chatter about Referer checks amounts to two things: - some folks not understanding the model
I understand your model perfectly well and I see it for the fallacy that it is. That you apparently cannot see this for yourself is distressing. I do not see the logic in validating user submitted (form) data with yet more user submitted data. Perhaps I'm misunderstanding why you (or anyone for that matter) would blindly put any credibility what-so-ever in any user input, which includes the Referer. Your "three-stage security model" has but 1 stage that I can see. The other two steps are sugar coating that add no further benefit to your security "model". From one of your previous emails...
An attacker can trick the victim's browser into sending 1 + 2. Or the attacker himself can send 2 + 3. But the attacker cannot get the victim to send 1 + 2 + 3, unless the application is poorly designed.
By definition an exploitable web application is poorly designed. I can and I have written exploits to re-produce not only valid input, but valid cookies and referer data all in the same instant. The victim didn't even need to click a link - they just opened their webmail and the application was instantly compromised - I had their cookies, the URL data and the referer all rolled into one. The webmail was compromised because my exploit successfully reproduced all three of your security stages. Every single "crack" out there - from brute forcing passwords to overruning buffers is dependant upon one thing: Improper validation of user supplied or manipulated data. If you decide to treat the Referer as anything other than what it is, untrustworthy user data, you do so at your peril.
- folks legitiately disagreeing on the number of user who might be locked out by a Referer check.
Those that check the referer for purposes beyond statistical or marketing needs are just wasting time. It can not and will not make the data any safer or more trustworthy. CDI ____________________________________ The Web Master's Net http://www.thewebmasters.net/ "I would imagine even a trained MSCE-monkey can run a virus scan... OW! What the hell? Ack! Help! Idealism is biting me on the ass! Get it off! Get it off!" -- Andrew Boring in the Monastery
Current thread:
- The Dangers of Allowing Users to Post Images John Percival (Jun 14)
- Re: The Dangers of Allowing Users to Post Images Sverre H. Huseby (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Tim Nowaczyk (Jun 16)
- Re: The Dangers of Allowing Users to Post Images Henrik Nordstrom (Jun 18)
- Re: The Dangers of Allowing Users to Post Images peterw (Jun 19)
- Re: The Dangers of Allowing Users to Post Images Henrik Nordstrom (Jun 19)
- Re: never-ending Referer arguments (The Dangers of Allowing Users to Post Images) Peter W (Jun 19)
- Re: [BUGTRAQ] Re: never-ending Referer arguments (The Dangers of Allowing Users to Post Images) CDI (Jun 22)
- Re: The Dangers of Allowing Users to Post Images Tim Nowaczyk (Jun 16)
- Re: The Dangers of Allowing Users to Post Images John Percival (Jun 22)
- Re: The Dangers of Allowing Users to Post Images Michal Szokolo (Jun 24)
- Re: The Dangers of Allowing Users to Post Images Travis Siegel (Jun 25)
- Re: The Dangers of Allowing Users to Post Images Sverre H. Huseby (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Jeffrey W. Baker (Jun 25)
- Re: The Dangers of Allowing Users to Post Images Sverre H. Huseby (Jun 19)
- Re: The Dangers of Allowing Users to Post Images Henrik Nordstrom (Jun 19)
- Re: The Dangers of Allowing Users to Post Images Brett Lymn (Jun 18)
- Re: The Dangers of Allowing Users to Post Images Marc Slemko (Jun 16)
- Re[2]: The Dangers of Allowing Users to Post Images Alexander K. Yezhov (Jun 16)