[rt-devel] Following links offsite
seph
seph at commerceflow.com
Thu Jan 31 20:41:13 EST 2002
security via obscurity is not very secure. relying on it is poor.
seph
Bruce Campbell <bruce_campbell at ripe.net> writes:
> On Mon, 28 Jan 2002, Bruce Campbell wrote:
>
> > If I remember, I'll knock up something to go in /NoAuth to do what is
> > described in http://www.lboro.ac.uk/computing/providers/redirect.html .
>
> Actually, thinking more about this, I'm thinking that its a security risk
> to link directly from an RT system offsite. Eg, if I follow a link from a
> displayed ticket (http://rt.example.com/Ticket/Display.html?id=349856), to
> a remote website, that website has just received, via my browser's passing
> of the HTTP_REFER field, the URL to my ticketing system, and the exact
> ticket that I'm working on.
>
> Ugh. Not a problem if the RT webserver is behind a firewall, but it is a
> problem if its on a publically available webserver and you've got a
> guessable password for people, or the authentication information for RT
> has been passed on the URL.
>
> I will knock something up for /NoAuth and do patches for the displaying of
> tickets.
>
> --
> Bruce Campbell RIPE
> Systems/Network Engineer NCC
> www.ripe.net - PGP562C8B1B Operations
>
>
>
> _______________________________________________
> rt-devel mailing list
> rt-devel at lists.fsck.com
> http://lists.fsck.com/mailman/listinfo/rt-devel
More information about the Rt-devel
mailing list