noteworthy wrote:

http://www.memestreams.net/memebox?mode=showmeme&oid=422632

That isn't really a secret, but it's not a URL you'd serve up to just anybody. (The message doesn't display if it's not yours.)

No, it doesn't, but other vulnerabilities could be employed to delete if from your memebox. You'd have to guess which user and entice them to click on a link. Unfortuantely there is no fast and easy way to resolve that, but thanks for pointing it out...

Decius wrote:

noteworthy wrote:

http://www.memestreams.net/memebox?mode=showmeme&oid=422632

That isn't really a secret, but it's not a URL you'd serve up to just anybody. (The message doesn't display if it's not yours.)

No, it doesn't, but other vulnerabilities could be employed to delete if from your memebox. You'd have to guess which user and entice them to click on a link. Unfortuantely there is no fast and easy way to resolve that, but thanks for pointing it out...

As for the Deleting problem this is simply XSRF rearing its head again and actually you can fix it fairly easily: Always always always have a landing page!

Right off the bat, I should never be able visit a single URL and the result of me visiting that URL is that a meme gets deleted.

1- This violates RFC 2616 about HTTP's "safe" methods GET and HEAD vs. a POST.
2- This is why Google's Web Accelerator fucked some many websites (mainly people who learned some Ruby and Rails and suddenly thought they are web developers).
3- This makes you way vulnerable to XSRF. I just point the target of a Hyperlink or an IMG+SRC, etc, at the "delete" URL and watch the fun.

Every "delete this meme" link on should take you to a page that says "are you sure?" On that "are you sure" page, the server should place a random, time limited token in a hidden HTML field. The "yes, delete this" should be a button that causes a HTTP POST back to Memestreams with the oid of the meme and the random token. Only if the supplied token matches what the server pushed down should the meme deleted.

I can think of two special cases where an "Are you sure" landing page isn't practical for deleting meme on Memestreams:

1- Multiple select memes in the Memebox summary page to delete. The "delete" button already makes a POST, so you are safe there. Every time the summary page is generated a random token should a hidden HTML field should be downloaded. If you really want to be paranoid you can store on the server in your Sessions collection what oid's can be deleted with a token for that user. That way a single token for generated from a Memebox summary page cannot be used to delete memes that weren't shown on that summary page. Regardless, you can fix this.

2-When viewing a single meme. Again, same as before. Make "delete this meme" a button and style it to look nice. Send down a token whenever someone looks at an individual meme.

noteworthy wrote:
Conceivably these referring URLs could contain 'private' information. At the moment, they include URLs things like this:

http://www.memestreams.net/memebox?mode=showmeme&oid=422632

That isn't really a secret, but it's not a URL you'd serve up to just anybody. (The message doesn't display if it's not yours.)

People should be aware that their web browser may publicize their MemeStreams search queries via the "referer" [sic] header, which may then be posted publicly by YouTube for others to see.

Search queries are frequently exposed via referral URLs, but it is perhaps less common to see them posted publicly like this.

The number one rule of web security is "Don't trust what you get from the client." Rule number 1a (because its derived from rule 1) is "Never give the client anything that is a secret or private because you cannot trust them to keep it a secret."

Given rule 1a, why are you guys considering anything in the URL of a Memestreams link a secret? It's common to make this mistake. Google made the same mistake with the Zoom feature in Google Maps, allowing the Google Maps Zoom Hack.

Who cares about an oid? If your web app is secure, it doesn't matter. Does it matter that the Scarface DVD has a product code of 1234567 on Amazon? No, because everything bad I could do with that knowledge (uses XSRF to add my upcoming book to your shooping cart for example) is protected against.