GoFuckYourself.com - Adult Webmaster Forum - View Single Post - sponsor stats leaking your USERNAME and PASSWORD to other sites

rowan · 04-10-2003, 08:57 PM

I'm becoming increasingly concerned at how some sponsors authenticate their stats - with the user and pass in the URL.

For example...

https://stats.globill-systems.com/cgi-bin/stats.cgi?partnerid=xxxxxx&password=xxxxxx
http://wm.mtree.com/wm.cgi/stats?mtaseqid=xxxxxx&mtapasswd=xxxxxx

There's too much chance for a referer 'leak', either with a direct link (globill's stats link directly to external sites - my u/p will show up in their referer logs if I click on those links), or with MSIE's buggy sending of referer lines from two or three pages back. With the latter scenario, ANY site you load could end up with your sponsor's u/p in their referer logs.

Non https:// URLs may get logged by any proxies you're using too. Anyone with access at optus@home (my ISP) can clearly see my moneytree ID and password in their proxy logs. Here's an example from my local caching proxy:

<font size=1>1050032864.223 7761 xxxxxx.xxxxxx.com TCP_MISS/200 67721 GET http://wm.mtree.com/wm.cgi/stats?<font color="#ff0000">mtaseqid=xxxxxx&mtapasswd=xxxxxx</font> - DIRECT/wm.mtree.com text/html</font>

This entry is sitting in a log file on my home unix gateway.

Am I the only one worried about this?

04-10-2003, 08:57 PM
rowan Too lazy to set a custom title Join Date: Mar 2002 Location: Australia Posts: 17,393	sponsor stats leaking your USERNAME and PASSWORD to other sites I'm becoming increasingly concerned at how some sponsors authenticate their stats - with the user and pass in the URL. For example... https://stats.globill-systems.com/cgi-bin/stats.cgi?partnerid=xxxxxx&password=xxxxxx http://wm.mtree.com/wm.cgi/stats?mtaseqid=xxxxxx&mtapasswd=xxxxxx There's too much chance for a referer 'leak', either with a direct link (globill's stats link directly to external sites - my u/p will show up in their referer logs if I click on those links), or with MSIE's buggy sending of referer lines from two or three pages back. With the latter scenario, ANY site you load could end up with your sponsor's u/p in their referer logs. Non https:// URLs may get logged by any proxies you're using too. Anyone with access at optus@home (my ISP) can clearly see my moneytree ID and password in their proxy logs. Here's an example from my local caching proxy: <font size=1>1050032864.223 7761 xxxxxx.xxxxxx.com TCP_MISS/200 67721 GET http://wm.mtree.com/wm.cgi/stats?<font color="#ff0000">mtaseqid=xxxxxx&mtapasswd=xxxxxx</font> - DIRECT/wm.mtree.com text/html</font> This entry is sitting in a log file on my home unix gateway. Am I the only one worried about this? Last edited by rowan; 04-10-2003 at 09:00 PM..