Re: $ENV(HTTP_REFERER)?

Randal L. Schwartz Thu, 07 Jun 2001 08:54:45 -0700
>>>>> "Mo" == Mo Holkar / UKG <[EMAIL PROTECTED]> writes:

Mo> I've seen a few references to this spoofing of HTTP_REFERER -- how is
Mo> it accomplished?

Mo> (Asking not so that I can do it myself ;-) but to ascertain whether
Mo> the circumstances / requirements are such that this danger is of
Mo> relevance to my application.)

note the value of "HTTP_REFERER" in the env output below:

    $ telnet www.stonehenge.com 80
    Trying 209.102.105.69...
    Connected to web.stonehenge.com.
    Escape character is '^]'.
    GET /cgi/try HTTP/1.0
    Referer: http://my.private.server/foo/bar


    HTTP/1.1 200
    Date: Thu, 07 Jun 2001 16:14:46 GMT
    Server: Apache/1.3.17 (Unix) mod_perl/1.25
    X_mod_perl_rules: mod_perl rules! Get it at http://perl.apache.org/
    X_all_your_base: ARE BELONG TO US!
    Connection: close
    Content-Type: text/plain

    Thu Jun  7 09:15:01 PDT 2001
    uid=99(nobody) gid=99(nobody) groups=99(nobody)
    halfdome.holdit.com
    /merlyn/web/htdocs/cgi
    SERVER_SIGNATURE=<ADDRESS>Apache/1.3.17 Server at web.stonehenge.com Port 
80</ADDRESS>

    SCRIPT_FILENAME=/merlyn/web/htdocs/cgi/try
    SERVER_NAME=web.stonehenge.com
    REMOTE_ADDR=209.102.105.69
    REQUEST_URI=/cgi/try
    TERM=dumb
    HOSTTYPE=i386
    PATH=/usr/ucb:/bin:/usr/bin
    REMOTE_PORT=29791
    self_url=http://web.stonehenge.com/cgi/try
    REQUEST_METHOD=GET
    SHELL=/bin/sh
    GATEWAY_INTERFACE=CGI/1.1
    QUERY_STRING=
    SERVER_ADDR=209.102.105.69
    SERVER_SOFTWARE=Apache/1.3.17 (Unix) mod_perl/1.25
    UNIQUE_ID=Ox@odtFmaUAAAAg-LWg
    SERVER_PROTOCOL=HTTP/1.0
    REMOTE_HOST=web.stonehenge.com
    SERVER_PORT=80
    DOCUMENT_ROOT=/merlyn/web/htdocs
    OSTYPE=Linux
    SCRIPT_NAME=/cgi/try
    SHLVL=1
    [EMAIL PROTECTED]
    HTTP_REFERER=http://my.private.server/foo/bar
    _=/usr/bin/env
    Connection closed by foreign host.

yes, it's that easy.

>From LWP, it's a matter of calling $request->header("referer", "anything");
before processing the request.  Still trivial.

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<[EMAIL PROTECTED]> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
Re: $ENV(HTTP_REFERER)?

Reply via email to
