Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot

Answer: Login and CGI security problem.

by turnstep (Parson)
on May 12, 2000 at 19:42 UTC ( #11294=categorized answer: print w/replies, xml ) Need Help??

Q&A > CGI programming > Login and CGI security ("open cookie jar") problem. - Answer contributed by turnstep

When I click on the link, information about which websites I had visited before, my IP, etc., will be sent to the "evil" website. Using that data it's able to do malicious stuff on the server I visited last, since I had already logged on before.

The only compromising data is the referrer, or the URL to which you had been to before. It cannot tell which "websites" you had visited before, only the previous page. Yes, your IP is known, but it is known anyway, to every site you visit, and to everyone you email. Furthermore, most (if not all) browsers only send the referring information if you click on a a link, not if the browser is invoked by an external program. So this is only an issue with web-based email readers.

In summary, there is nothing to worry about. Just don't put information like passwords into URLs when writing scripts (a bad idea for more than the reason mentioned here) and everything will be fine. I really doubt that any major web mail services do such a thing anyway. Such holes were patched a long time ago.

As to how to avoid them while writing scripts (which almost makes this a perl question, but not quite), just store password information on the server (best) and/or use cookies and/or use HIDDEN input tags.

  • Comment on Answer: Login and CGI security problem.
Log In?

What's my password?
Create A New User
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others contemplating the Monastery: (5)
As of 2018-05-25 19:04 GMT
Find Nodes?
    Voting Booth?