homepage Welcome to WebmasterWorld Guest from 23.22.8.126
register, login, search, subscribe, help, library, PubCon, announcements, recent posts, open posts,
Accredited PayPal World Seller

Visit PubCon.com
Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
Forum Library : Charter : Moderators: bakedjake

Linux, Unix, and *nix like Operating Systems Forum

    
Referer spoofing
peace




msg:911668		 10:05 am on Mar 6, 2003 (gmt 0)

Hello,

I'm looking to find a way to stop spoofing programs.
As most of You know, this little evils are by passing
Your .htaccess file with sending a real referrer url.

Here's my htaccess file
-----------------------------
AuthUserFile /dev/null
AuthGroupFile /dev/null

RewriteEngine On
RewriteCond %{HTTP_REFERER}!^http://mydomain.com/ [NC]
RewriteCond %{HTTP_REFERER}!^http://www.mydomain.com/ [NC]
RewriteRule /* [mydomain.com...] [R,L]
-----------------------------
This can be spoofed easily and I need to find a solution since my site is somehow popular and my members area is
keep being published in warez sites.

My site is an AVS protected site and I have to use something
similar to this one above.

Would love to read Your oppinions on this one.

Thanks

[edited by: littleman at 10:18 am (utc) on Mar. 6, 2003]
[edit reason] took out the adult site references [/edit]

 

Dreamquick




msg:911669		 12:40 pm on Mar 7, 2003 (gmt 0)

You can't really defend against cross-site referrer spoofing as you are relying on the user to tell the truth! It's that simple.

To make any half-decent security solution you would need to augment the referrer-based system somehow and to be honest I think you'll find that the amount of work involved in this is prohibitive - essentially you'd be re-inventing the wheel (where the wheel in this case is user-authentication).

However if they are going from a site you control to another site you control and then you could probably have some fun with dynamic pages and a database - ie you generate a "launch" page which uses a unique URL, this URL is entered into the database and stays valid for x minutes.

When the user goes to the other site they will pass that unique URL in their referrer, the other site spots this and authenticates them for access to the site and at the same time removes the "launch" URL as a valid authenticator.

Since the unique URL would only be shown to valid in users (I presume they would have logged in at this point) and would only work once you have something which is pretty hard to spoof and pointless in linking :)

- Tony

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
WebmasterWorld ® and PubCon ® are a Registered Trademarks of Pubcon Inc.
© Pubcon Inc. 1996-2012 all rights reserved