[dev] Fwd: [Bug 1246] New - session hijacking using referer URL

Salim Virani me at salimvirani.com
Tue May 13 21:43:56 PDT 2003 

Rather than intercepting the attack by trying to obscure the referrer  
information, it might be worth considering strengthening the actual  
authentication method as well.

Implementing some kind of digest authentication would mitigate this and  
other attacks because the authentication mechanism would be more  
sophisticated than the simple sessionid token used now.  It would also  
be stronger than a solution bolstering the existing authentication  
method with IP or referrer detection because those can be spoofed.   
This method is already supported by later browsers at the HTTP layer  
but it could also be put together using a little javascript at the  
application layer. (An HTTP layer solution would be more secure as it  
wouldn't be prone to javascript sniffing and so on)

(See http://www.ietf.org/rfc/rfc2617.txt for a description of HTTP  
Digest Auth)

I'm humbly throwing this out there as a suggestion.  I'm not familiar  
with IMP3 code or this scenario in detail.  Is this a reasonable  
suggestion?

On Tuesday, May 13, 2003, at 09:20 PM, Mike Cochrane wrote:

>> ----- Message from chuck at horde.org ---------
>>
>> + (The following description and proposed solution is from
>> + christian.jaeger at ethlife.ethz.ch)
>> +
>> + Let the victim log into a non-ssl imp3 account. Let him read a mail
>> + from you with an url to your server somewhere in it. Wait until he
>> + clicks on the url, and whatch the referrer url including the  
>> sessionid
>> + being written to the apache log. Copy it into your own browser  
>> window
>> + (does not even need to be at the same ip), and enjoy reading the
>> + victim's personal email.
>> +
>> + Solution: each external link is rewritten to something like
>> +  
>> "http://your.imp.server/redirector.php?url=http://external.server/>> uri"
>> +
>
> This has be discussed a number of times that I remember, may have been  
> in #horde
> and not the list. But a 'de-referer' would definatly be useful for  
> external
> links.
>
> - Mike :-)
>
>
> -- 
> Horde developers mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: dev-unsubscribe at lists.horde.org

More information about the dev mailing list