Re: phpmyadmin / CVE-2016-9861 / PMASA-2016-66

To: debian-lts@lists.debian.org
Subject: Re: phpmyadmin / CVE-2016-9861 / PMASA-2016-66
From: Brian May <bam@debian.org>
Date: Mon, 19 Dec 2016 18:01:53 +1100
Message-id: <[🔎] 87eg14pfku.fsf@prune.linuxpenguins.xyz>
In-reply-to: <[🔎] 87inqgpfvu.fsf@prune.linuxpenguins.xyz>
References: <[🔎] 877f7a3x26.fsf@prune.linuxpenguins.xyz> <[🔎] 874m2d4l3e.fsf@prune.linuxpenguins.xyz> <[🔎] 87fulrnily.fsf@prune.linuxpenguins.xyz> <[🔎] 87d1gvng7c.fsf@prune.linuxpenguins.xyz> <[🔎] 87wpf0p8jg.fsf@prune.linuxpenguins.xyz> <[🔎] 87zijvk6k2.fsf@angela.anarc.at> <[🔎] 87lgvcpgj5.fsf@prune.linuxpenguins.xyz> <[🔎] 87inqgpfvu.fsf@prune.linuxpenguins.xyz>

Brian May <bam@debian.org> writes:

> Curiously while I can reproduce this in Firefox, I can't under Chrome,
> as it doesn't seem to provide the Referer header in this situation.

It looks like replacing the HTTP header with a block of JavaScript code
really does hide the Referer header in Firefox ESR version 45.5.1esr-1.

Ok, I wasn't exactly expecting that.

So my guess is that the white list only required for certain browsers,
or older browsers or something.
-- 
Brian May <bam@debian.org>

Reply to:

References:
- phpmyadmin / PMASA-2016-60
  - From: Brian May <bam@debian.org>
- Re: phpmyadmin / PMASA-2016-60
  - From: Brian May <bam@debian.org>
- Re: phpmyadmin / CVE-2016-9861 / PMASA-2016-66
  - From: Brian May <bam@debian.org>
- Re: phpmyadmin / CVE-2016-9861 / PMASA-2016-66
  - From: Brian May <bam@debian.org>
- Re: phpmyadmin / CVE-2016-9861 / PMASA-2016-66
  - From: Brian May <bam@debian.org>
- Re: phpmyadmin / CVE-2016-9861 / PMASA-2016-66
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: phpmyadmin / CVE-2016-9861 / PMASA-2016-66
  - From: Brian May <bam@debian.org>
- Re: phpmyadmin / CVE-2016-9861 / PMASA-2016-66
  - From: Brian May <bam@debian.org>

Prev by Date: Re: phpmyadmin / CVE-2016-9861 / PMASA-2016-66
Next by Date: Re: Wheezy update of dcmtk?
Previous by thread: Re: phpmyadmin / CVE-2016-9861 / PMASA-2016-66
Next by thread: Re: phpmyadmin / CVE-2016-9861 / PMASA-2016-66
Index(es):
- Date
- Thread