Hi Dean,
Thanks for the information. I understand the threat
cgi.HTTP_REFERER variable poses and also that its not safe to depend on any
client generated variables.
But lets say I want to know answers for these 2 questions, what would be the
answer i.e.
1) why the cgi.HTTP_REFERER is empty and
2) is there a way, I can get the value for cgi.HTTP_REFERER.
thanks,
On 6/14/07, Dean H. Saxe <[EMAIL PROTECTED]> wrote:
FWIW, the referer header is a great way to get information disclosure.
Its a great way to find previously unknown URLs just by scraping referer
logs. Can be used to track where someone has been previously... fun stuff.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"[T]he people can always be brought to the bidding of the leaders. This is
easy. All you have to do is to tell them they are being attacked, and
denounce the pacifists for lack of patriotism and exposing the country to
danger. It works the same in every country."
--Hermann Goering, Hitler's Reich-Marshall at the Nuremberg Trials
On Jun 14, 2007, at 1:10 PM, Ajas Mohammed wrote:
Hi,
In one of my CF 7 applications say Appl A, I have a link to another
application Appl B. Appl B will allow user to access restricted pages in
case he is a referred user from Appl A. In the Application.cfm file of
Appl B, I have this code
<!--- client var for testing the value of cgi.HTTP_REFERER ---->
<cfset client.Referer = "#cgi.HTTP_REFERER#">
<cfif (cgi.HTTP_REFERER contains "mysitekeyword") >
<cfset referred = "true">
<cfelse>
<cfset referred = "false">
</cfif>
<cfif IsDefined("referred")>
<!--- if user is referred, then set login stuff so user is not thrown
to login page ---->
<cfif (referred)>
<cfset client.login="Referred">
<cfset client.my_first_name = "RefFirstName">
<cfset client.can_access = "Y">
<cfset client.can_config = "N">
<cfset client.can_create_client = "N">
<cfset client.can_config_client = "N">
<cfset client.limit_access = "N">
<cfset client.access_name = "RefUser">
<cfset client.started = "true">
</cfif>
</cfif>
This code ensures that user can view the pages. If user is not referred,
then he has to login.
The problem I am facing is that, when users click the link in Appl A to
come to Appl B, the cgi.HTTP_REFERER is empty which means the code above
wont be executed(referred ="false") and user is thrown to login page. I dont
know why this is happening. Perhaps, it has something to do with security /
anti virus and CF server sets it to empty.
I checked both variables i.e. my client.Referer variable and the
cgi.HTTP_REFERER on the page that is displayed first to user (in this case
login page), and the both the variables are empty.
Is there a way, I could get the value of cgi.HTTP_REFERER?
Thanks,
--
<Ajas Mohammed />
http://ajashadi.blogspot.com
No matter what, find a way. Because thats what winners do.
-------------------------------------------------------------
Annual Sponsor - Figleaf Software <http://www.figleaf.com>
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink <http://www.fusionlink.com>
-------------------------------------------------------------
--
<Ajas Mohammed />
http://ajashadi.blogspot.com
No matter what, find a way. Because thats what winners do.
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
