[rt-devel] Following links offsite

Bruce Campbell bruce_campbell at ripe.net
Mon Jan 28 12:39:07 EST 2002


On Mon, 28 Jan 2002, Bruce Campbell wrote:

> If I remember, I'll knock up something to go in /NoAuth to do what is
> described in http://www.lboro.ac.uk/computing/providers/redirect.html .

Actually, thinking more about this, I'm thinking that its a security risk
to link directly from an RT system offsite.  Eg, if I follow a link from a
displayed ticket (http://rt.example.com/Ticket/Display.html?id=349856), to
a remote website, that website has just received, via my browser's passing
of the HTTP_REFER field, the URL to my ticketing system, and the exact
ticket that I'm working on.

Ugh.  Not a problem if the RT webserver is behind a firewall, but it is a
problem if its on a publically available webserver and you've got a
guessable password for people, or the authentication information for RT
has been passed on the URL.

I will knock something up for /NoAuth and do patches for the displaying of
tickets.

-- 
                             Bruce Campbell                            RIPE
                   Systems/Network Engineer                             NCC
                 www.ripe.net - PGP562C8B1B                      Operations






More information about the Rt-devel mailing list