PHP use$_SERVER["HTTP_REFERER"]to prevent the external links and any URL jump vulnerability-vulnerability warning-the black bar safety net

2014-06-14T00:00:00
ID MYHACK58:62201449513
Type myhack58
Reporter 佚名
Modified 2014-06-14T00:00:00

Description

3 6 0 tips this website site to find any URL jump vulnerability

Rare spare time, and began to toss my new blog, haha. Play microblogging occasionally also sweep to the 3 6 0, want to scan it I website try. A look does not matter, remind the presence of any URL jump vulnerability:

> The vulnerability could lead to the website the user is fishing, resulting in unnecessary losses, seriously affect the site in the user in the likeness of!

Vulnerability address:

> http://ziren.org/app/zr-s.php?url=http://oxoxoxoxoxoxox.com

Scan results:

! ziren. org security report, suggesting the presence of any URL jump vulnerability

Why is this a problem?

In fact, this is my settings, without affecting the user experience of the case, in order to so-called website weight problems and set up, external links are from this outlet export, this link prohibit search engines. Think about it, this is also true of the modified something to think about, if someone use this set to engage in the following unfair things, my host is really too much, and furthermore is likely to be xxx added to the blacklist like the stuff that 多一事不如少一事 it. Get some php$_SERVER["HTTP_REFERER"]verification about it:

view sourceprint

0 1.& lt;? php

0 2. $check_url=$_SERVER['HTTP_REFERER'];

0 3. if($check_url!=") {

0 4. $check_url=parse_url($check_url);

0 5. if($check_url[host]!=' ziren.org'){

0 6. $url='http://ziren.org/';

0 7. exit();

0 8. }

0 9. }

1 0.?& gt;

What circumstances HTTP_REFERER will fail it?

Just click hyperlink A, i.e.,<a href=#>