Skip Menu |

This queue is for tickets about the HTTP-Message CPAN distribution.

Report information
The Basics
Id: 102082
Status: rejected
Priority: 0/
Queue: HTTP-Message
People
Owner: Nobody in particular
Requestors: bhati.contact [...] gmail.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Thu Feb 12 03:15:04 2015 bhati.contact [...] gmail.com - Ticket created
Subject: Perl HTTP Module - Unsecure HTTP_REFERER Leads To Referrer Bypass
Date: Thu, 12 Feb 2015 13:44:53 +0530
To: bug-HTTP-Message [...] rt.cpan.org
From: Narendra Bhati <bhati.contact [...] gmail.com>
Respected Authorities, "HTTP_REFERER" function can be used to ensure that Referrer should be from trusted domain and it will execute the request if it is not then he will refuse the complete the request to prevent attacks like CSRF, Like we can create A Referrer Based CSRF Prevention code my $refer = $ENV{HTTP_REFERER}; = validwebsite.com my $website = anything; = validwesite.com if ($website eq validwebsite.com || $website eq anyother.com) { do this } else { do that } Now http referer fucntion will check for the referer value which we have define and check that if it match then it will execute the request otherwise not But If we load that page in an tag Iframe who are using "HTTP_REFERER" function then "HTTP_REFERER" could allow anyone to execute that request , Because Iframe Tag Have No Referrer Suggestion - If Page loaded in an Iframe Then "HTTP_REFERER" functions should check that if the request if coming from an Iframe then it has to refuse that request directly to prevent this kind of attacks Correct me if am wrong ! Looking forward to you -- *Narendra Bhati "CEH" **( Facebook <http://www.facebook.com/narendradewsoft> , Twitter <http://www.twitter.com/NarendraBhatiB> , LinkedIn <https://www.linkedin.com/profile/view?id=115146074> , Personal Blog <http://hacktivity.websecgeeks.com> )*
  Thu Feb 12 03:22:06 2015 SREZIC [...] cpan.org - Correspondence added
On 2015-02-12 03:15:04, bhati.contact@gmail.com wrote: Show quoted text
> Respected Authorities, > > "HTTP_REFERER" function can be used to ensure that Referrer should be > from trusted domain and it will execute the request if it is not then he > will refuse the complete the request to prevent attacks like CSRF, > > Like we can create A Referrer Based CSRF Prevention code > my $refer = $ENV{HTTP_REFERER}; = validwebsite.com > my $website = anything; = validwesite.com > if ($website eq validwebsite.com || $website eq anyother.com) { do this } > else > { do that } > > Now http referer fucntion will check for the referer value which we have > define > and check that if it match then it will execute the request otherwise not > > But If we load that page in an tag Iframe who are using "HTTP_REFERER" > function then "HTTP_REFERER" could allow anyone to execute that request , > Because Iframe Tag Have No Referrer > > Suggestion - If Page loaded in an Iframe Then "HTTP_REFERER" functions > should check that if the request if coming from an Iframe then it has to > refuse that request directly to prevent this kind of attacks > > Correct me if am wrong !
This has nothing to do with the HTTP::Message module. Probably you should ask for advise in a web forum. You should probably reject or delete this ticket. Regards, Slaven
  Thu Feb 12 03:22:07 2015 The RT System itself - Status changed from 'new' to 'open'
  Thu Feb 12 03:24:58 2015 bhati.contact [...] gmail.com - Correspondence added
Subject: Re: [rt.cpan.org #102082] Perl HTTP Module - Unsecure HTTP_REFERER Leads To Referrer Bypass
Date: Thu, 12 Feb 2015 13:54:48 +0530
To: bug-HTTP-Message [...] rt.cpan.org
From: Narendra Bhati <bhati.contact [...] gmail.com>
I just want to point out this issue that , HTTP Referer allow attacker to bypass certain security feature which leads to Referer Based CSRF Bypass , Can you help me out where i can report about this Security Issue ? Thanks in advance ! On Thu, Feb 12, 2015 at 1:52 PM, Slaven_Rezic via RT < bug-HTTP-Message@rt.cpan.org> wrote: Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=102082 > > > On 2015-02-12 03:15:04, bhati.contact@gmail.com wrote:
> > Respected Authorities, > > > > "HTTP_REFERER" function can be used to ensure that Referrer should be > > from trusted domain and it will execute the request if it is not then he > > will refuse the complete the request to prevent attacks like CSRF, > > > > Like we can create A Referrer Based CSRF Prevention code > > my $refer = $ENV{HTTP_REFERER}; = validwebsite.com > > my $website = anything; = validwesite.com > > if ($website eq validwebsite.com || $website eq anyother.com) { do this
> }
> > else > > { do that } > > > > Now http referer fucntion will check for the referer value which we have > > define > > and check that if it match then it will execute the request otherwise not > > > > But If we load that page in an tag Iframe who are using "HTTP_REFERER" > > function then "HTTP_REFERER" could allow anyone to execute that request , > > Because Iframe Tag Have No Referrer > > > > Suggestion - If Page loaded in an Iframe Then "HTTP_REFERER" functions > > should check that if the request if coming from an Iframe then it has to > > refuse that request directly to prevent this kind of attacks > > > > Correct me if am wrong !
> > This has nothing to do with the HTTP::Message module. Probably you should > ask for advise in a web forum. You should probably reject or delete this > ticket. > > Regards, > Slaven > > > >
-- *Narendra Bhati "CEH" **( Facebook <http://www.facebook.com/narendradewsoft> , Twitter <http://www.twitter.com/NarendraBhatiB> , LinkedIn <https://www.linkedin.com/profile/view?id=115146074> , Personal Blog <http://hacktivity.websecgeeks.com> )* *Security Analyst - IT Risk & Security Management Services* Suma Soft Pvt. Ltd. | Suma Center | Near Mangeshkar Hospital | Erandawane Pune: 411004 | *+919923397301* *======================================================================*
  Sun Feb 22 14:40:37 2015 GAAS [...] cpan.org - Correspondence added
Also AFAICT, not relevant for HTTP-Message module.
  Sun Feb 22 14:40:38 2015 GAAS [...] cpan.org - Status changed from 'open' to 'rejected'
  Sun Feb 22 14:44:26 2015 bhati.contact [...] gmail.com - Correspondence added
Subject: Re: [rt.cpan.org #102082] Perl HTTP Module - Unsecure HTTP_REFERER Leads To Referrer Bypass
Date: Mon, 23 Feb 2015 01:14:16 +0530
To: bug-HTTP-Message [...] rt.cpan.org
From: Narendra Bhati <bhati.contact [...] gmail.com>
Then where i should report any idea ! On Mon, Feb 23, 2015 at 1:10 AM, Gisle_Aas via RT < bug-HTTP-Message@rt.cpan.org> wrote: Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=102082 > > > Also AFAICT, not relevant for HTTP-Message module. > >
-- *Narendra Bhati "CEH" **( Facebook <http://www.facebook.com/narendradewsoft> , Twitter <http://www.twitter.com/NarendraBhatiB> , LinkedIn <https://www.linkedin.com/profile/view?id=115146074> , Personal Blog <http://hacktivity.websecgeeks.com> )* *Security Analyst - IT Risk & Security Management Services* Suma Soft Pvt. Ltd. | Suma Center | Near Mangeshkar Hospital | Erandawane Pune: 411004 | *+919923397301* *======================================================================*