[NTLUG:Discuss] M$ strikes again
Jack Snodgrass
jack at jacksnodgrass.com
Thu Aug 28 22:45:16 CDT 2003
On Thu, 2003-08-28 at 21:46, Greg Edwards wrote:
> Not strictly a linux question, but it is an open standards (HTTP) and
> open source (Apache) question.
>
> I've come across a problem with an M$ browser that does not send the
> HTTP_REFERER field with any requests. Every request has "-" in the
> referer field. Like a fool I use this to validate access to some CGI
> programs for security reasons. These are not redirects or foreign links.
>
> Is there a way to force the browser to send it or did Mr. Bill screw me
> again? So far my I've only found 1 user in my logs that has this
> problem. It's a recent MSIE update so I'm sure I'll be seeing more!!
>
> TIA,
Sorry, but you can't rely on that info for security.
HTTP_REFERER is optional. Any of that info (HTTP_REFERER or HTTP_AGENT,
etc) is optional. It can be missing or spoofed. It could be someone
that wrote their own browser and is pretending to be a MS browser.
I can go into my mozilla preferences and there is a whole list
of browsers I can pretend to be.
Or it could be working and someone is accessing your .cgi from a
bookmark. That would not have a http_refer reference.
jack
More information about the Discuss
mailing list