Closed
Bug 1457403
Opened 7 years ago
Closed 7 years ago
security:Information disclosure through http cache
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: ma7h1as.l, Unassigned)
Details
Attachments
(1 file)
268 bytes,
application/x-php
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36
Steps to reproduce:
the online demo shows how to abuse http cache to bypass a referer check
or in another word , it could cause a referer spoofing vuln. (but not only this)
http://115.159.205.137/token.php checks if referer=="http://www.infelphira.cn/static/admin.html"
Actual results:
when http://176.122.169.50/static/guest.html send the request to token.php , it should get "get out you are just guest" because of the referer check
Expected results:
it get "token from admin"
there is something wrong with the original report
the right description for this vulnerability should be
Expected results:
when http://176.122.169.50/static/guest.html send the request to token.php , it should get "get out you are just guest" because of the referer check
Actual results:
it get "token from admin" , leak the information about admin's secret.
Comment 2•7 years ago
|
||
Firefox, Safari, and Chrome have the same behavior -- I think there's a problem with the site's use of cache headers and TTL. If the response depends on the referer header then the site must send a "Vary: Referer" header so user agents know they can't reuse it if the Referer changes.
It's not just browsers that might cache it. Since this is an HTTP connection you don't know what helpful proxy in the middle is caching things for perf reasons. In a corp environment even HTTPS pages might be going through a corporate proxy that does caching. It needs to see the Vary headers to do the right thing, too.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•