Wetlook World Forum

Message # 281.1.1.1

Subject: Yes, don't worry, I'm aware of this [nt]

Date: Sat 28/09/02 20:40:25 GMT

Name: Nigel

Email: nigel@wetlook.com

Website: http://www.wetlook.com

By max - max_2@poczta.fm Sat 28/09/02 12:00:50 GMT

Website:

Nigel, please note that HTTP referer field cannot be trusted, as any other header or data supplied by the client. Anyone can forge it. Checking referer will not stop anyone from altering values of hidden form fields on the 'add' page and screwing up the forum.

You should protect important data passed to the client using some sort of hash function (md5, sha1). Mail me if you need more information or help.

We love this forum and will not allow anyone to damage it.

By Nigel - nigel@wetlook.com Sat 28/09/02 03:44:06 GMT

Website: http://www.wetlook.com

The 'referer' is just the url/address of the previous page that you were viewing, this in normally passed by the browser to each new page as you click through links.  It is checked to make sure that the pages are called in the correct sequence, and helps to stop people hacking into a website.  E.g. without checking the 'referer', the 'add' page on the forum could be copied to another website, changed, and then used to submit a new article with corrrupted information in it, which may be able to screw up the forum.  E.g. you could add new messages out of sequence, or imbed malicious html code in the messages.

All the 'referer' string does is allow a website to see where the link was that got the user to the current page, but only if it was via a 'clicked link' on that page.  If you are on wetlook.com for instance, and then select microsoft.com, either from your favourites, a shortcut, or by typing in the url, the previous page is NOT passed.  The referer is also passed (stupidly IMHO) when a jpeg or other image is loaded, and banner advertisers use this for tracking people, which is why most 'security' software offers to 'Block Referers'.  Any good software should allow you to select sites where you want the referers to be unblocked though, as many sites rely on this information for correct operation, to protect againt tampering.

I can't see that ZA is causing the problem... I use it myself (Version 3.1.291), and have no problems, using the standard settings, and there's nothing in there about Blokcing Referers ?

I there definitely an option in IE6, somewhere in the "Privacy Settings", maybe under Internet Options. I believe that this can be set on a site by site basis, I don't use IE6, but lots of people have posted using it, so maybe someone else can help.

In Norton Personal Firewall, there is a "Browser Privacy Control" which needs to be disabled... I don't know if you can do it just for selected sites. Again I don't use this product, so maybe someone else can help with more details.

Sorry I can't be of more help.  If anyone else is having problems, then please email me directly, with details of ALL your Internet software.

Nigel

By SoakHerHose - Sat 28/09/02 02:47:57 GMT

Website:

I am unable to post unless I completely turn off ZoneAlarm. A message comes up saying that posting is not allowed unless referers are unblocked. I looked through all the ZoneAlarm and IE6 menus and could not find anything about referers.

Could you school us non-web-scripting-gurus what referers are, and possibly point us in the right direction on how to configure popular security packages like ZoneAlarm, Norton Firewall and IE6 to allow us to post on the forum without closing the firewall?

Thanks and thanks for your continuing work on this great new forum!!