Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic
 
PerlMonks  

Answer: Login and CGI security problem.

( #11294=categorized answer: print w/ replies, xml ) Need Help??

Q&A > CGI programming > Login and CGI security ("open cookie jar") problem. contributed by turnstep

When I click on the link, information about which websites I had visited before, my IP, etc., will be sent to the "evil" website. Using that data it's able to do malicious stuff on the server I visited last, since I had already logged on before.

The only compromising data is the referrer, or the URL to which you had been to before. It cannot tell which "websites" you had visited before, only the previous page. Yes, your IP is known, but it is known anyway, to every site you visit, and to everyone you email. Furthermore, most (if not all) browsers only send the referring information if you click on a a link, not if the browser is invoked by an external program. So this is only an issue with web-based email readers.

In summary, there is nothing to worry about. Just don't put information like passwords into URLs when writing scripts (a bad idea for more than the reason mentioned here) and everything will be fine. I really doubt that any major web mail services do such a thing anyway. Such holes were patched a long time ago.

As to how to avoid them while writing scripts (which almost makes this a perl question, but not quite), just store password information on the server (best) and/or use cookies and/or use HIDDEN input tags.

Comment on Answer: Login and CGI security problem.
Log In?
Username:
Password:

What's my password?
Create A New User
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others studying the Monastery: (6)
As of 2014-12-28 12:53 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (181 votes), past polls