|
|
Posted by Rik on 02/14/07 01:57
Jonathan N. Little wrote:
> Somehow they are hacking the referrer value.
>
> Interesting other point is the same sequence of request|referrer pairs=
=
> get logged on each episode:
>
> http://forum.example.com/forum/index.php
> http://forum.example.com/phpbb/index.php
> http://forum.example.com/phpbb2/index.php
> http://forum.example.com/forums/index.php
> http://forum.example.com/board/index.php
>
> The UA and the originating IP same for series of 5 attempt URLs so it =
=
> might be some hacking script but is is different for each set of =
> attempts. Originating IP been from various places in North America but=
=
> all seem to be from hopone.net
>
> I don't have phpbb, nor indexes on and the 404 script is trapping them=
=
> but just wondering how they are spoofing the referrer?
The referer is just a header the browser may or may not send. Spoofing i=
s =
very, very easy. With some hacking in the browser I could make it send =
'http://yoursitesucks.com' by default, regardless of the actual referer.=
=
It even get's used for spamming: =
<http://en.wikipedia.org/wiki/Referer_spam>
Simple example using PHP:
<?php
$link =3D fsockopen('http://example.com',80);
fwrite($link,"GET / HTTP/1.1\r\nReferer: http://forum.example.com");
?>
This is the main reason why anyone with basic knowledge will tell you =
never to trust a referer header for any security whatsoever.
-- =
Rik Wasmus
Navigation:
[Reply to this message]
|