[Phpmyadmin-devel] Redirecting external links

Isaac Bennetch bennetch at gmail.com
Mon Jan 31 17:52:08 CET 2011


Hi,

On 1/31/2011 9:34 AM, Michal Čihař wrote:
> Hi all
>
> when going to other page, browsers sends Referer header to the next
> server. This could obviously leak some information from the original
> website. Given that we might include in URL possibly sensitive
> information (eg. SQL query), I've added redirector (url.php) inside
> phpMyAdmin, what hides all the parameter and all what the next site can
> see is<PmaAbsoluteUri>/url.php?url=<URL where you go>.

Yes, this seems good.

> On the other side, user might want to hide<PmaAbsoluteUri>  as well.
> This can be only achieved by using some external redirector, for
> example we could place one at phpmyadmin.net. Any opinions about that?

I think it's not worth the hassle. While I do understand that some users 
may want to hide their URL as an additional layer of security, there are 
some very good questions being asked about what happens if the 
redirector is down, if it can handle/is permitted to handle the amount 
of traffic we could potentially generate, and most importantly about the 
likelihood of the redirector itself collecting the referrer information. 
Not to mention the question of whether it's phpMyAdmin's responsibility 
to obscure this in the first place (for the truly paranoid, there are 
ways to accomplish this across an entire system, rather than a single 
application).

I vote no, for what that's worth.

On 1/31/2011 10:04 AM, Marc Delisle wrote:
 > How about generating these redirections via js? I have seen this 
somewhere.

Perhaps you're referring to the use of an iframe + javascript such as is 
described at 
http://www.knowlegezone.com/documents/75/Hide-referer-IE-and-Firefox/






More information about the Developers mailing list