You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Antonio Sanso (JIRA)" <ji...@apache.org> on 2015/02/26 14:03:04 UTC

[jira] [Updated] (SLING-4019) ReferrerFilter should have DEFAULT_ALLOW_EMPTY set to false

     [ https://issues.apache.org/jira/browse/SLING-4019?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Antonio Sanso updated SLING-4019:
---------------------------------
    Fix Version/s: Security 1.0.8

> ReferrerFilter should have DEFAULT_ALLOW_EMPTY set to false
> -----------------------------------------------------------
>
>                 Key: SLING-4019
>                 URL: https://issues.apache.org/jira/browse/SLING-4019
>             Project: Sling
>          Issue Type: Bug
>            Reporter: Antonio Sanso
>            Assignee: Antonio Sanso
>             Fix For: Security 1.0.8
>
>
> The ReferrerFilter should have DEFAULT_ALLOW_EMPTY set to false.
> The reasons is that the attacker can force an empty referrer in at least two ways:
> - is the victim site runs using http the attacker can create a "mallory page" under an https site. In this case (namely https-to-http) the referrer is not passed.
> - The attacker create a dynamic post doing something like:
> {code}
> <head>
> <script>
> function load() {
>     var postdata = '<form id=dynForm method=POST action=\'https://www.google.com\'>' +
>                     '<input type=hidden name=email value=example@live.com />' +
>                     '<input type=hidden name=pass value=password />' +
>                     '<input type=hidden name=locale value=en_US />' +
>                     '</form>';
>     top.frames[0].document.body.innerHTML=postdata;
>     top.frames[0].document.getElementById('dynForm').submit();
> }
> </script>
> </head>
> <body onload="load()">
> <iframe src="about:blank" id="noreferer"></iframe>
> </body>
> </html>
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)