Site rejects requests with no referrer set for dubious security reasons

tbpmig / mig-website

Apache License 2.0

8 stars 5 forks source link

Site rejects requests with no referrer set for dubious security reasons #204

Open dadrian opened 8 years ago

dadrian commented 8 years ago

If you send a request to any URL at tbp.engin.umich.edu without setting the Referrer header, the request is rejected because "this may be an account hijack". This security reasoning is dubious at best, has major privacy implications if you're coming from a non tbp.engin.umich.edu domain, and is trivial to bypass in the event you did steal a session cookie---all you have to do is set the referrer header.

This might need to be reported upstream to Django, but this check is worthless at best, and harmful at worst.

mikehand commented 8 years ago

Pretty certain this is a django thing.

Also I'm not sure I follow what you mean "coming from a non tbp.engin.umich.edu domain" how else would you be navigating to the site? Raw IP address?

Mike Hand

On Wed, Feb 3, 2016 at 9:32 PM, David Adrian notifications@github.com wrote:

If you send a request to any URL at tbp.engin.umich.edu without setting the Referrer header, the request is rejected because "this may be an account hijack". This security reasoning is dubious at best, has major privacy implications if you're coming from a non tbp.engin.umich.edu domain, and is trivial to bypass in the event you did steal a session cookie---all you have to do is set the referrer header.

This might need to be reported upstream to Django, but this check is worthless at best, and harmful at worst.

— Reply to this email directly or view it on GitHub https://github.com/tbpmig/mig-website/issues/204.

dadrian commented 8 years ago

I mean, if I was on foo.com, and then clicked a link to tbp.engin.umich.edu, the Referrer would be foo.com.

mikehand commented 8 years ago

Ah ok. So I guess I'm not seeing a situation where there wouldn't be a referrer header or how that leads to privacy issues. Not saying it's not an issue just not one I currently understand well enough to be any help

And yes this is a django thing, or at least default behavior. There's a django confit I have enabled that limits what host names you can use to get to the site but that sounds like something different.

On Thursday, February 4, 2016, David Adrian notifications@github.com wrote:

I mean, if I was on foo.com, and then clicked a link to tbp.engin.umich.edu, the Referrer would be foo.com.

— Reply to this email directly or view it on GitHub https://github.com/tbpmig/mig-website/issues/204#issuecomment-180005589.

Michael Hand Electrical Engineering/Control Systems M.S.E. The University of Michigan mikehand@umich.edu

mikehand commented 8 years ago

This is the documentation I found in the django write-up that I think covers what you're talking about https://docs.djangoproject.com/en/1.9/ref/csrf/

Note that we're not using that version of django so we may need to update if the old way of handing things is out of date