Mozilla Foundation Security Advisory 2008-16

HTTP Referrer spoofing with malformed URLs

Announced

March 25, 2008

Reporter

Gregory Fleischer, RSnake

Impact

Moderate

Products

Firefox, SeaMonkey

Fixed in

Firefox 2.0.0.13
SeaMonkey 1.1.9

Description

Security researcher Gregory Fleischer demonstrated a problem with the HTTP Referer: (sic) header sent with requests to URLs containing Basic Authentication credentials with empty usernames. In these cases a number of leading characters, based on the length of the password in the URL, are removed from the referrer hostname. Fleischer pointed out that websites which only check the Referer: header to protect against Cross-Site Request Forgery (CSRF) could be attacked using this flaw. This concept was based on and expanded from a post to the sla.ckers.org forum by security researcher RSnake.

References

Referrer spoofing bug
CVE-2008-1238
sla.ckers.org post

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Privacy Promise

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Product Promise

Firefox Relay

MDN Plus

Mozilla Manifesto

Mozilla Foundation

Get involved

Leadership

Careers

Mozilla Blog

Firefox Developer Edition

MDN Web Docs

Common Voice

Mozilla Innovation Projects

Mozilla Foundation Security Advisory 2008-16

HTTP Referrer spoofing with malformed URLs

Description

References