[dev] Fwd: [Bug 1246] New - session hijacking using referer URL

Mike Cochrane mike at graftonhall.co.nz
Tue May 13 21:20:12 PDT 2003


> ----- Message from chuck at horde.org ---------
>
> + (The following description and proposed solution is from
> + christian.jaeger at ethlife.ethz.ch)
> +
> + Let the victim log into a non-ssl imp3 account. Let him read a mail
> + from you with an url to your server somewhere in it. Wait until he
> + clicks on the url, and whatch the referrer url including the sessionid
> + being written to the apache log. Copy it into your own browser window
> + (does not even need to be at the same ip), and enjoy reading the
> + victim's personal email.
> +
> + Solution: each external link is rewritten to something like
> + "http://your.imp.server/redirector.php?url=http://external.server/uri"
> +

This has be discussed a number of times that I remember, may have been in #horde
and not the list. But a 'de-referer' would definatly be useful for external
links.

- Mike :-)



More information about the dev mailing list