Re: IE 5.22 on Mac Transmitting HTTP Referer from Secure Page

tlarholm_at_PIVX.COM
Date: 12/30/03


Date:         Tue, 30 Dec 2003 13:50:27 -0800
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

This applies to ALL versions of Internet Explorer on all systems, though
IE on Windows require that the HTTPS site is left through a redirection.
I verified this on IE 5, 5.5, 6 and 6SP1.

As an easily demonstrated example, open your Windows IE and go to

https://login.yahoo.com/config/login

then to verify that no referer is typically sent (the expected behavior)
write the following in your Address Bar

javascript:document.links[0].href="http://pivx.com/larholm/test/referer.
php";document.links[0].click();void(0)

If you want to see the referer being sent from https://login.yahoo.com
to http://pivx.com write the following

javascript:document.links[0].href="https://us.rd.yahoo.com/reg/sihflib/*
http://pivx.com/larholm/test/referer.php";document.links[0].click();void
(0)

The redirect script has to be on the same domain. It is not uncommon to
see redirectors on sites protected by SSL, most typically webmail
implementations.

Lots of other browsers have been vulnerable to this, including Netscape
4 and Opera.

Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@pivx.com
949-231-8496

PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix
<http://www.qwik-fix.net>

-----Original Message-----
From: deane@deanebarker.net [mailto:deane@deanebarker.net]
Sent: Wednesday, December 24, 2003 8:16 AM
To: bugtraq@securityfocus.com
Subject: IE 5.22 on Mac Transmitting HTTP Referer from Secure Page

Documented instance of Internet Explorer 5.22 on a Mac transmitting an
HTTP Referer header from a link on a secure page (https):

http://www.gadgetopia.com/2003/12/23/OutlookWebAccessPrivacyHole.html

This is clearly covered in the HTTP 1.1 spec (RFC 2616), Section 15.1.3,
"Encoding Sensitive Information in URI's":

"Clients SHOULD NOT include a Referer header field in a (non-secure)
HTTP request if the referring page was transferred with a secure
protocol."

-----
Editor's Note: The 43rd Most Powerful Person in Networking says...

Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field.
-----



Relevant Pages

  • RE: IE 5.22 on Mac Transmitting HTTP Referer from Secure Page
    ... IE on Windows require that the HTTPS site is left through a redirection. ... IE 5.22 on Mac Transmitting HTTP Referer from Secure Page ...
    (Bugtraq)
  • RE: redirection vuln crawlers breed & security through obscurity
    ... HTTP refer field path) to control access to an entry ... I could fuzz *everything* or be lazy and fuzz a variable ... redirection vuln crawlers breed & security through obscurity ...
    (Bugtraq)
  • Re: Problem with Response.Redirect and Proxy Server
    ... Your redirection is ambiguously defined that it is more likely than not to ... unencrypted HTTP traffic to see the actual 302 that you are sending. ... Location header open to interpretation by the browser and it ends in 404, ... web server sits behind a proxy and unfortunately SSL is on. ...
    (microsoft.public.inetserver.iis)
  • Re: MSMQ message redirections problem
    ... >> I am having problems with message redirection with MSMQ. ... > to a public Queue over HTTP. ... I can send messages to the remote server queue (Win Server ...
    (microsoft.public.dotnet.distributed_apps)
  • Re: favorite with a different address
    ... people should bookmark fussball.html, ... This is the difference between HTTP 301 and HTTP 302 redirections. ... fussball.html is the right name for the resource, however, ... an HTTP 302 redirection is exactly what you need. ...
    (comp.infosystems.www.authoring.html)