IE 5.22 on Mac Transmitting HTTP Referer from Secure Page

2008.07.18
Credit: Thor Larholm
Risk: Medium
Local: No
Remote: Yes

This applies to ALL versions of Internet Explorer on all systems, though IE on Windows require that the HTTPS site is left through a redirection. I verified this on IE 5, 5.5, 6 and 6SP1. As an easily demonstrated example, open your Windows IE and go to https://login.yahoo.com/config/login then to verify that no referer is typically sent (the expected behavior) write the following in your Address Bar javascript:document.links[0].href="http://pivx.com/larholm/test/referer. php";document.links[0].click();void(0) If you want to see the referer being sent from https://login.yahoo.com to http://pivx.com write the following javascript:document.links[0].href="https://us.rd.yahoo.com/reg/sihflib/* http://pivx.com/larholm/test/referer.php";document.links[0].click();void (0) The redirect script has to be on the same domain. It is not uncommon to see redirectors on sites protected by SSL, most typically webmail implementations. Lots of other browsers have been vulnerable to this, including Netscape 4 and Opera. Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com thor (at) pivx (dot) com [email concealed] 949-231-8496 PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of Qwik-Fix <http://www.qwik-fix.net> -----Original Message----- From: deane (at) deanebarker (dot) net [email concealed] [mailto:deane (at) deanebarker (dot) net [email concealed]] Sent: Wednesday, December 24, 2003 8:16 AM To: bugtraq (at) securityfocus (dot) com [email concealed] Subject: IE 5.22 on Mac Transmitting HTTP Referer from Secure Page Documented instance of Internet Explorer 5.22 on a Mac transmitting an HTTP Referer header from a link on a secure page (https): http://www.gadgetopia.com/2003/12/23/OutlookWebAccessPrivacyHole.html This is clearly covered in the HTTP 1.1 spec (RFC 2616), Section 15.1.3, "Encoding Sensitive Information in URI's": "Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol."

References:

http://www.securityfocus.com/archive/1/348574


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top