Archived from groups: comp.security.firewalls (More info?)
In <wuLXe.9346$gE7.9332@fe08.lga> "Name" <name@nospam.com> writes:
>Are referers a "security concern"?
Sort of. If you have a "secret" page, i.e. one to which no external
links exists and you have a link on that page to someone with a
visible refererlog, your "secret" page might be picked up by a
google-bot via the refererlog, thus making the contents of the
"secret" page part of google's database where it can linger on
for some time beyond your control. "Security concern?" You decide.
A twist on this involves permissions changing on the "secret"
page, thus making it visible to the world (of course an error, but
without the refererlog no harm would have been done).
Archived from groups: comp.security.firewalls (More info?)
Name wrote:
> Are referers a "security concern"?
You mean HTTP_REFERER? Yes. You can possibly click on a link from within a
password-protected area. Sometimes the password as well as user name along
with other stuff are being (erroneously) sent to the authentication system
via a GET request and therefore they become a part of the URL. So, if you
logged in and clicked on a link, your user ID and password (as well of
plenty other juicy info) will be visible in the logs of the server you've
just visited.
Web statistics software is most prone to this kind of problem but you may
come across this in link exchanges, directories and such. Anything that is
designed to work with links.
Good luck!
DA
##-----------------------------------------------##
Delivered via http://www.secure-gear.com The Internet Knowledge Base for the security industry
no-spam access to your favorite newsgroup -
comp.security.firewalls - 18675 messages and counting!
##-----------------------------------------------##
