I've heard of way too many people relying on HTTP_REFERER thinking it's a
secure way to lock things down... so I'll take this chance here and
illustrate what I'm talking about.

You'll need:
netcat (http://www.l0pht.com/~weld/netcat/)
and a PHP webserver.

Cut and paste the following HTTP request into a file:
GET /referer.php
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3)
Accept: text/xml, application/xml, application/xhtml+xml, text/html;q=0.9,
image/png, image/jpeg, image/gif;q=0.2, text/plain;q=0.8, text/css,
Accept-Language: en-us
Accept-Encoding: gzip, deflate, compress;q=0.9
Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.yoursecuresite.com/cc_info.html

Modify the "GET" parameter on the first line if you wish to place your
script somewhere besides http://webserver.com/test.php

Place the following code in test.php:
The http referer is: <?=$HTTP_REFERER?>

Now just run:
cat <file containing http request> | nc <ip of remote server> 80

... and watch what the webserver spits back for the $HTTP_REFERER
variable.  Just change the 'Referer' line and you can make it say whatever
you want.

If you're on NT just substitute "type" for "cat" in the above command.
Everything else should work just the same.

If that doesn't scare somebody out of using HTTP_REFERER for security, I
don't know what would.  And yes, you are right about the POST/rePOST thing
being hokey.  I wouldn't work with a company that required you to submit
data that way.

Justin Buist
Trident Technology, Inc.
4700 60th St. SW, Suite 102
Grand Rapids, MI  49512
Ph. 616.554.2700
Fx. 616.554.3331
Mo. 616.291.2612

On Mon, 20 Aug 2001, Fotwun wrote:

> How, code wise do I retreive the session data from the session id. Also,
> another response below said HTTP_REFERRER is not secure. So how do people
> who use this type of payment gateway secure the script it redirects to. All
> of the data it sends is form data, so once somebody new what script it
> redirects to, and what form data it posts, it would be quite easy for them
> to authorize their own charges in my opinion.

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to