Page History
Note: This vulnerabilility has been fixed.
Problem
See:
| Jira | ||||
|---|---|---|---|---|
|
...
Referer header example: Referer: http://demoauthor45.magnolia-cms.com/.magnolia/trees/website.html?mgnlCK=1404726339576
Status
We started work on and have a basic implementation of the token method (see above ticket) but are concerned that too many things must be changed to implement it, and that this could cause problems for existing magnolia installations. So we decided to spend some more time researching the "referer-check" approach to see if this is feasible.
Conclusion after 4 hours research
Referer checking should work against known exploits if written correctly. The four downsides i see are:
...
How to support existing installation: WhiteList? Special Code? Tokens??!?
Should it be possible to configure a white list of additional referrers? Perhaps some integrations would like to make direct requests from external servers, or would this be introducing too great of a vulnerabilty?
Research
OWASP Page: Investigate Referrer Method
...
- "For example, if the victim's domain is "site.com" then an attacker have the CSRF exploit originate from "site.com.attacker.com" which may fool a broken referer check implementation. XSS can be used to bypass a referer check."
- OK. we just need a good check, ie last part of the host.
Notes
Privacy
Quote from the HTTP spec:
"
Because the source of a link might be private information or might reveal an otherwise
private information source, it is strongly recommended that the user be able to
select whether or not the Referer field is sent. For example, a browser client could
have a toggle switch for browsing openly/anonymously, which would respectively
enable/disable the sending of Referer and From information.
"
...
Overview
Content Tools