#2340 More Fine-grained referer (cross site scripting) check

Other
open
None
5
2005-11-29
2005-11-26
Alain Knaff
No

At the LLL project we have set up apache gateways to
webmin on the same server where our students
(untrusted ;-) ) have accounts and personal web
pages.

So we want to set up the referers in such a way that
a reference from https://www.ourserver.lu/WebMin/ is
allowed, but a reference from
https://www.ourserver.lu/~littlehax0r/ is not.

The patch attached allows to match referers against
prefixes (including directories), in addition to just
host names

Moreover, it leaves port numbers in the site names,
to prevent a similar attack with redirects that go
directly to port 10000 rather than through the Apache
proxy. Thus a referer from
http://www.ourserver.lu:10000/ would be ok, but one
from http://www.ourserver.lu/~littlehax0r not

Discussion

  • Alain Knaff

    Alain Knaff - 2005-11-26

    Patch to make referer check more picky

     
    Attachments
  • Jamie Cameron

    Jamie Cameron - 2005-11-29
    • assigned_to: nobody --> jcameron
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks