When I click on the link, information about which websites I had visited before, my IP, etc., will be sent to the "evil" website. Using that data it's able to do malicious stuff on the server I visited last, since I had already logged on before.
The only compromising data is the referrer, or the URL to which you had been to before. It cannot tell which "websites" you had visited before, only the previous page. Yes, your IP is known, but it is known anyway, to every site you visit, and to everyone you email. Furthermore, most (if not all) browsers only send the referring information if you click on a a link, not if the browser is invoked by an external program. So this is only an issue with web-based email readers.
In summary, there is nothing to worry about. Just don't put information like passwords into URLs when writing scripts (a bad idea for more than the reason mentioned here) and everything will be fine. I really doubt that any major web mail services do such a thing anyway. Such holes were patched a long time ago.
As to how to avoid them while writing scripts (which almost makes this a perl question, but not quite), just store password information on the server (best) and/or use cookies and/or use HIDDEN input tags.
In reply to Re: Login and CGI security problem.
by turnstep
in thread Login and CGI security ("open cookie jar") problem.
by Novician
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |