Or he could take the same road that we've all been down before and crash in the same spot we did. Sometimes that's a great way to learn. Why pay attention to the wet paint sign when you can touch it for yourself and get dirty?
----- Original Message ---- From: John Mason <[EMAIL PROTECTED]> To: [email protected] Sent: Thursday, June 14, 2007 2:40:06 PM Subject: RE: [ACFUG Discuss] empty cgi.http_referer DIV { MARGIN:0px;} I agree. The cgi variables are very unreliable. Ajas, you're not the first to do this. Many people including myself have relied on cgi variables for things (not just for security) and have been burn by them. It's a little added work to do the login, but it will save you a lot of problems down the road. John [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shawn gorrell Sent: Thursday, June 14, 2007 2:34 PM To: [email protected] Subject: Re: [ACFUG Discuss] empty cgi.http_referer How do you get it if it isn't there? I suppose that you could just make it up if you liked. I'd make mine as coming from peanut_butter.cfm. As Dean stated, it isn't always reliable. Type in a url or get to one through a bookmark and it will be empty. I've seen them get stripped at firewalls as well. I'd find another way to do it. ----- Original Message ---- From: Ajas Mohammed <[EMAIL PROTECTED]> To: [email protected] Sent: Thursday, June 14, 2007 2:29:53 PM Subject: Re: [ACFUG Discuss] empty cgi.http_referer Hi Dean, Thanks for the information. I understand the threat cgi.HTTP_REFERER variable poses and also that its not safe to depend on any client generated variables. But lets say I want to know answers for these 2 questions, what would be the answer i.e. 1) why the cgi.HTTP_REFERER is empty and 2) is there a way, I can get the value for cgi.HTTP_REFERER. thanks, On 6/14/07, Dean H. Saxe <[EMAIL PROTECTED]> wrote: FWIW, the referer header is a great way to get information disclosure. Its a great way to find previously unknown URLs just by scraping referer logs. Can be used to track where someone has been previously... fun stuff. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "[T]he people can always be brought to the bidding of the leaders. This is easy. All you have to do is to tell them they are being attacked, and denounce the pacifists for lack of patriotism and exposing the country to danger. It works the same in every country." --Hermann Goering, Hitler's Reich-Marshall at the Nuremberg Trials On Jun 14, 2007, at 1:10 PM, Ajas Mohammed wrote: Hi, In one of my CF 7 applications say Appl A, I have a link to another application Appl B. Appl B will allow user to access restricted pages in case he is a referred user from Appl A. In the Application.cfm file of Appl B, I have this code <!--- client var for testing the value of cgi.HTTP_REFERER ----> <cfset client.Referer = "#cgi.HTTP_REFERER#"> <cfif ( cgi.HTTP_REFERER contains "mysitekeyword") > <cfset referred = "true"> <cfelse> <cfset referred = "false"> </cfif> <cfif IsDefined("referred")> <!--- if user is referred, then set login stuff so user is not thrown to login page ----> <cfif (referred)> <cfset client.login="Referred"> <cfset client.my_first_name = "RefFirstName"> <cfset client.can_access = "Y"> <cfset client.can_config = "N"> <cfset client.can_create_client = "N"> <cfset client.can_config_client = "N"> <cfset client.limit_access = "N"> <cfset client.access_name = "RefUser"> <cfset client.started = "true"> </cfif> </cfif> This code ensures that user can view the pages. If user is not referred, then he has to login. The problem I am facing is that, when users click the link in Appl A to come to Appl B, the cgi.HTTP_REFERER is empty which means the code above wont be executed(referred ="false") and user is thrown to login page. I dont know why this is happening. Perhaps, it has something to do with security / anti virus and CF server sets it to empty. I checked both variables i.e. my client.Referer variable and the cgi.HTTP_REFERER on the page that is displayed first to user (in this case login page), and the both the variables are empty. Is there a way, I could get the value of cgi.HTTP_REFERER? Thanks, -- <Ajas Mohammed /> http://ajashadi.blogspot.com No matter what, find a way. Because thats what winners do. ------------------------------------------------------------- Annual Sponsor - Figleaf Software To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink ------------------------------------------------------------- -- <Ajas Mohammed /> http://ajashadi.blogspot.com No matter what, find a way. Because thats what winners do. ------------------------------------------------------------- Annual Sponsor - Figleaf Software To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink ------------------------------------------------------------- ------------------------------------------------------------- Annual Sponsor - Figleaf Software To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink ------------------------------------------------------------- ------------------------------------------------------------- Annual Sponsor - Figleaf Software To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink ------------------------------------------------------------- ------------------------------------------------------------- Annual Sponsor FigLeaf Software - http://www.figleaf.com To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
