Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the HTTP-Message CPAN distribution.

Report information
The Basics
Id:
102082
Status:
rejected
Priority:
Low/Low
Queue:

People
Owner:
Nobody in particular
Requestors:
bhati.contact [...] gmail.com
Cc:
AdminCc:

BugTracker
Severity:
(no value)
Broken in:
(no value)
Fixed in:
(no value)



Subject: Perl HTTP Module - Unsecure HTTP_REFERER Leads To Referrer Bypass
Date: Thu, 12 Feb 2015 13:44:53 +0530
To: bug-HTTP-Message@rt.cpan.org
From: Narendra Bhati <bhati.contact@gmail.com>
Respected Authorities,

 "HTTP_REFERER" function can be used  to ensure that Referrer should be from trusted domain and it will execute the request if it is not then he will refuse the complete the request to prevent attacks like CSRF,

Like we can create A Referrer Based CSRF Prevention code 
my $refer = $ENV{HTTP_REFERER}; = validwebsite.com
my $website = anything; = validwesite.com 
if ($website eq validwebsite.com || $website eq anyother.com) { do this } 
else 
{ do that }

Now http referer fucntion will check for the referer value which we have define 
and check that if it match then it will execute the request otherwise not 

But If we load that page in an tag Iframe who are using "HTTP_REFERER" function then "HTTP_REFERER" could allow anyone to execute that request , Because Iframe Tag Have No Referrer

Suggestion - If Page loaded in an Iframe Then "HTTP_REFERER" functions should check that if the request if coming from an Iframe then it has to refuse that request directly to prevent this kind of attacks 

Correct me if am wrong !

Looking forward to you

--
Narendra Bhati "CEH" Facebook , Twitter , LinkedIn , Personal Blog )

On 2015-02-12 03:15:04, bhati.contact@gmail.com wrote:
Show quoted text
> Respected Authorities, > > "HTTP_REFERER" function can be used to ensure that Referrer should be > from trusted domain and it will execute the request if it is not then he > will refuse the complete the request to prevent attacks like CSRF, > > Like we can create A Referrer Based CSRF Prevention code > my $refer = $ENV{HTTP_REFERER}; = validwebsite.com > my $website = anything; = validwesite.com > if ($website eq validwebsite.com || $website eq anyother.com) { do this } > else > { do that } > > Now http referer fucntion will check for the referer value which we have > define > and check that if it match then it will execute the request otherwise not > > But If we load that page in an tag Iframe who are using "HTTP_REFERER" > function then "HTTP_REFERER" could allow anyone to execute that request , > Because Iframe Tag Have No Referrer > > Suggestion - If Page loaded in an Iframe Then "HTTP_REFERER" functions > should check that if the request if coming from an Iframe then it has to > refuse that request directly to prevent this kind of attacks > > Correct me if am wrong !
This has nothing to do with the HTTP::Message module. Probably you should ask for advise in a web forum. You should probably reject or delete this ticket. Regards, Slaven
Subject: Re: [rt.cpan.org #102082] Perl HTTP Module - Unsecure HTTP_REFERER Leads To Referrer Bypass
Date: Thu, 12 Feb 2015 13:54:48 +0530
To: bug-HTTP-Message@rt.cpan.org
From: Narendra Bhati <bhati.contact@gmail.com>
I just want to point out this issue that , HTTP Referer allow attacker to bypass certain security feature which leads to Referer Based CSRF Bypass ,
Can you help me out where i can report about this Security Issue ?
Thanks in advance !

On Thu, Feb 12, 2015 at 1:52 PM, Slaven_Rezic via RT <bug-HTTP-Message@rt.cpan.org> wrote:
Show quoted text
<URL: https://rt.cpan.org/Ticket/Display.html?id=102082 >

On 2015-02-12 03:15:04, bhati.contact@gmail.com wrote:
> Respected Authorities,
>
>  "HTTP_REFERER" function can be used  to ensure that Referrer should be
> from trusted domain and it will execute the request if it is not then he
> will refuse the complete the request to prevent attacks like CSRF,
>
> Like we can create A Referrer Based CSRF Prevention code
> my $refer = $ENV{HTTP_REFERER}; = validwebsite.com
> my $website = anything; = validwesite.com
> if ($website eq validwebsite.com || $website eq anyother.com) { do this }
> else
> { do that }
>
> Now http referer fucntion will check for the referer value which we have
> define
> and check that if it match then it will execute the request otherwise not
>
> But If we load that page in an tag Iframe who are using "HTTP_REFERER"
> function then "HTTP_REFERER" could allow anyone to execute that request ,
> Because Iframe Tag Have No Referrer
>
> Suggestion - If Page loaded in an Iframe Then "HTTP_REFERER" functions
> should check that if the request if coming from an Iframe then it has to
> refuse that request directly to prevent this kind of attacks
>
> Correct me if am wrong !

This has nothing to do with the HTTP::Message module. Probably you should ask for advise in a web forum. You should probably reject or delete this ticket.

Regards,
    Slaven






--
Narendra Bhati "CEH" Facebook , Twitter , LinkedIn , Personal Blog )
Security Analyst - IT Risk & Security Management Services
Suma Soft Pvt. Ltd. | Suma Center | Near Mangeshkar Hospital | Erandawane
Pune: 411004 | +919923397301

======================================================================

Also AFAICT, not relevant for HTTP-Message module.
Subject: Re: [rt.cpan.org #102082] Perl HTTP Module - Unsecure HTTP_REFERER Leads To Referrer Bypass
Date: Mon, 23 Feb 2015 01:14:16 +0530
To: bug-HTTP-Message@rt.cpan.org
From: Narendra Bhati <bhati.contact@gmail.com>
Then where i should report any idea !

On Mon, Feb 23, 2015 at 1:10 AM, Gisle_Aas via RT <bug-HTTP-Message@rt.cpan.org> wrote:
Show quoted text
<URL: https://rt.cpan.org/Ticket/Display.html?id=102082 >

Also AFAICT, not relevant for HTTP-Message module.




--
Narendra Bhati "CEH" Facebook , Twitter , LinkedIn , Personal Blog )
Security Analyst - IT Risk & Security Management Services
Suma Soft Pvt. Ltd. | Suma Center | Near Mangeshkar Hospital | Erandawane
Pune: 411004 | +919923397301

======================================================================



This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.