Forum OpenACS Q&A: Re: RFC: Security policy for OpenACS (Security hole in OpenACS 5.1!)

56: Re: RFC: Security policy for OpenACS (Security hole in OpenACS 5.1!) (response to 1)

Posted by Barry Books on 06/04/04 09:54 PM

The referer check is nearly transparent. If you go to a page with the wrong referer host you are redirected to page with a link. Clicking the link completes the action. This is so you can get to acs-admin by just typing mysite/acs-admin. There could be times when clicking on the link would be a bad idea and I may disable the link if referer host is not null or go thru the sudo login page if the referer is null.

Unless you can javascript the referer on a url request (and I'm sure someone has figured out how) this should make remote attacks difficult. I'm also thinking that if you create a DNS entry like admin.mysite.com and force all admin thru that url then links from www.mysite.com become remote attacks. That would also require a seperate login on admin.mysite.com. Between the two I think that would make openacs safer than most sites.

57: Re: RFC: Security policy for OpenACS (Security hole in OpenACS 5.1!) (response to 56)

Posted by Tilmann Singer on 06/07/04 01:26 PM

I don't think relying on the referer header is a good idea, since it might not always be sent by the browser. Looking in my access logs I see from time to time users whose referer is always blank, even when they are apparently navigating within the site. It's propably caused by some kind of (paranoid) web filter, firewall or proxy software. I see that too often to feel comfortable locking these users out of adminstrative functions on my sites.