Oden Eriksson wrote:
>
> Ken Jones writes:
>
> > Oden Eriksson wrote:
> >>
> >> Ken Jones writes:
> >>
> >> >
> >> > I updated the distribution with Bills (Alan Cox?) :) patch and
> >> > updated the version to 0.70.
> >> >
> >> > One change, I put the version in the footer with a link to
> >> > the qmailadmin page. This might help people looknig for help,
> >> > we can put a qmailadmin howto/help document on the page.
> >> >
> >> > Ken Jones
> >>
> >> Wouldn't that be a security risk to send the whole referrer tag like that ?
> >
> > <a href=http://www.inter7.com/qmailadmin/>qmailadmin 0.71</a>
> >
> > What's insecure about that html?
>
> I guess that one (you?) could check the httpd log and find a referrer like:
>
> http://mail2.kvikkjokk.net/cgi-bin/qmailadmin/com/showusers?user=postmaster&;
> time=996688321&dom=kvikkjokk.net&
>
> And use that to hijack a session to in this example my server.
>
> Am I wrong?
Ahh. I understand now. I tested it with my local server here is what
shows up
in the http logs:
209.218.8.89 - - [01/Aug/2001:13:07:43 -0500] "GET / HTTP/1.0" 200 639
"http://127.0.0.1/cgi-bin/qmailadmin/com/showusers?user=postmaster&time=996689170&dom=test.com&";
"Mozilla/4.77 [en] (X11; U; Linux 2.4.2-2 i586)"
So you are right. The referal information contains the authentication
information.
But the information can't be used unless the query comes from the same
IP
as the machine used to log in. So it is useless.
However, some people remove the IP restriction to get around NAT and
proxy settings.
So over all, it is insecure in some cases and not in others.
To be on the safe side we should remove the link.
Ken Jones
