[rt-devel] Following links offsite

seph seph at commerceflow.com
Thu Jan 31 20:41:13 EST 2002

security via obscurity is not very secure. relying on it is poor.


Bruce Campbell <bruce_campbell at ripe.net> writes:

> On Mon, 28 Jan 2002, Bruce Campbell wrote:
> > If I remember, I'll knock up something to go in /NoAuth to do what is
> > described in http://www.lboro.ac.uk/computing/providers/redirect.html .
> Actually, thinking more about this, I'm thinking that its a security risk
> to link directly from an RT system offsite.  Eg, if I follow a link from a
> displayed ticket (http://rt.example.com/Ticket/Display.html?id=349856), to
> a remote website, that website has just received, via my browser's passing
> of the HTTP_REFER field, the URL to my ticketing system, and the exact
> ticket that I'm working on.
> Ugh.  Not a problem if the RT webserver is behind a firewall, but it is a
> problem if its on a publically available webserver and you've got a
> guessable password for people, or the authentication information for RT
> has been passed on the URL.
> I will knock something up for /NoAuth and do patches for the displaying of
> tickets.
> -- 
>                              Bruce Campbell                            RIPE
>                    Systems/Network Engineer                             NCC
>                  www.ripe.net - PGP562C8B1B                      Operations
> _______________________________________________
> rt-devel mailing list
> rt-devel at lists.fsck.com
> http://lists.fsck.com/mailman/listinfo/rt-devel

More information about the Rt-devel mailing list