#2340 More Fine-grained referer (cross site scripting) check

Other
open
Jamie Cameron
None
5
2005-11-29
2005-11-26
Alain Knaff
No

At the LLL project we have set up apache gateways to
webmin on the same server where our students
(untrusted ;-) ) have accounts and personal web
pages.

So we want to set up the referers in such a way that
a reference from https://www.ourserver.lu/WebMin/ is
allowed, but a reference from
https://www.ourserver.lu/~littlehax0r/ is not.

The patch attached allows to match referers against
prefixes (including directories), in addition to just
host names

Moreover, it leaves port numbers in the site names,
to prevent a similar attack with redirects that go
directly to port 10000 rather than through the Apache
proxy. Thus a referer from
http://www.ourserver.lu:10000/ would be ok, but one
from http://www.ourserver.lu/~littlehax0r not

Discussion

  • Alain Knaff
    Alain Knaff
    2005-11-26

    Patch to make referer check more picky

     
    Attachments
  • Jamie Cameron
    Jamie Cameron
    2005-11-29

    • assigned_to: nobody --> jcameron