On Thu, Jun 01, 2006 at 08:57:31PM +0200, freenetwork at web.de wrote: > >Woah (re Ubernode.org). One button click, you can add its ref to you. > > > >Here's a simple countermeasure: Check the Referer, and if it's set > >(outside 127.0.0.1:<port>), verify whatever transaction it is with > >another POST form. > > can be faked by server
How? As far as I can see that's equivalent to faking the URL in the location bar, which is regarded as a critical security bug in a browser? -- Matthew J Toseland - toad at amphibian.dyndns.org Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20060602/c1b25e66/attachment.pgp>
