You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Marc Slemko <ma...@worldgate.com> on 1997/10/12 02:15:20 UTC

dangers of referrer header combined with proxies

Places like hotmail use a combination of URL and the IP address the
request comes from to give access to mail.  If you are coming from the
same IP, you can enter the URL from a message obtained previously by
authenticating.  I would presume there is some timeout.

This means if you follow a link in the body of the message, your web
browser will send the message URL in the referer header.  No problem
unless you are coming through a proxy--then anyone who can see the logs on
the server and can access the same proxy can grab the message, access the
entire mailbox and send mail from you.  Yuck. And I thought HTTP basic
authentication was bad...

I didn't think anyone would be that stupid.  Hell, even bastardizing
cookies for authentication is better than that.

Re: dangers of referrer header combined with proxies

Posted by Marc Slemko <ma...@worldgate.com>.

But Marc, people can already send mail from you ;) 

On Sat, 11 Oct 1997, Marc Slemko wrote:

> ... and send mail from you.