Closed Bug 1457403 Opened 7 years ago Closed 7 years ago

security:Information disclosure through http cache

Categories

(Firefox :: Untriaged, defect)

59 Branch
defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: ma7h1as.l, Unassigned)

Details

Attachments

(1 file)

268 bytes, application/x-php
Details
Attached file token.php
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36 Steps to reproduce: the online demo shows how to abuse http cache to bypass a referer check or in another word , it could cause a referer spoofing vuln. (but not only this) http://115.159.205.137/token.php checks if referer=="http://www.infelphira.cn/static/admin.html" Actual results: when http://176.122.169.50/static/guest.html send the request to token.php , it should get "get out you are just guest" because of the referer check Expected results: it get "token from admin"
there is something wrong with the original report the right description for this vulnerability should be Expected results: when http://176.122.169.50/static/guest.html send the request to token.php , it should get "get out you are just guest" because of the referer check Actual results: it get "token from admin" , leak the information about admin's secret.
Firefox, Safari, and Chrome have the same behavior -- I think there's a problem with the site's use of cache headers and TTL. If the response depends on the referer header then the site must send a "Vary: Referer" header so user agents know they can't reuse it if the Referer changes. It's not just browsers that might cache it. Since this is an HTTP connection you don't know what helpful proxy in the middle is caching things for perf reasons. In a corp environment even HTTPS pages might be going through a corporate proxy that does caching. It needs to see the Vary headers to do the right thing, too.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: