Antoine Beaupré <anar...@orangeseeds.org> writes: >> +--- a/url.php >> ++++ b/url.php >> ++ // JavaScript redirection is necessary. Because if header() is used >> ++ // then web browser sometimes does not change the HTTP_REFERER >> ++ // field and so with old URL as Referer, token also goes to >> ++ // external site. > > I haven't reviewed the whole code - but this actually works? Doesn't > this assume the token isn't passed to the url.php file?
I am still a bit unclear in the CVE-2016-4412 / PMASA-2016-57 vulnerability. Ok, so lets say the vulnerability is in the HTTP_REFERER having the token. In which case, if this JavaScript redirection successfully hides the HTTP_REFERER header, there is no need for a whitelist. I am guessing the JavaScript isn't reliable. Or doesn't work on alll browsers. I will conduct some more tests. -- Brian May <b...@debian.org>
