[Phpmyadmin-devel] Redirecting external links

Dieter Adriaenssens dieter.adriaenssens at gmail.com
Mon Jan 31 15:51:59 CET 2011


Hi all,

2011/1/31 Michal Čihař <michal at cihar.com>:
> Hi all
>
> when going to other page, browsers sends Referer header to the next
> server. This could obviously leak some information from the original
> website. Given that we might include in URL possibly sensitive
> information (eg. SQL query), I've added redirector (url.php) inside
> phpMyAdmin, what hides all the parameter and all what the next site can
> see is <PmaAbsoluteUri>/url.php?url=<URL where you go>.
>
> On the other side, user might want to hide <PmaAbsoluteUri> as well.
> This can be only achieved by using some external redirector, for
> example we could place one at phpmyadmin.net. Any opinions about that?

Would it be default behaviour to redirect through phpmyadmin.net, or
is at an option?
What if phpmyadmin.net is unavailable (down, or not reachable by the
network where a local version of pma is installed), will links in PMA
not work?
If an external redirector is used, isn't the Referer sent with the
HTTP request header, traveling the internet in cleartext?

> PS: The referrer should not be sent when original site is using HTTPS,
> quoting RFC:
>
>> Clients SHOULD NOT include a Referer header field in a
>> (non-secure) HTTP request if the referring page was transferred with
>> a secure protocol.
>
> --
>        Michal Čihař | http://cihar.com | http://blog.cihar.com
>
> ------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
> _______________________________________________
> Phpmyadmin-devel mailing list
> Phpmyadmin-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
>
>



-- 
Groetjes,

Dieter Adriaenssens




More information about the Developers mailing list