Tuesday 10 August 2004

TBP, Firefox, Server Logs and the wrong referrers

If you are into analyzing your server logs, you may have come across some interesting HTTP referrers which appear to endorse (or link to) one of your pages. You may have also noticed that the Browser referrer is Firefox. However, after a quick visit to the referrer, you notice that your page wasn't mentioned at all. I have seen this scenario frequently with my server logs and I have always assumed it was due to a bug in Firefox.

Today, I found out that it isn't due to a bug in Firefox, it is due to a bug in Tabbrowser Preferences. TBP is loading the wrong referrer when a URL is typed into the address bar in new tabs. The bug is also documented with bugzilla.

According to the Open Source Vulnerability Database:

The TBP extension to Mozilla Firefox contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a new tab is created and a URL is typed directly into the address bar. This tab will incorrectly inherit the URL of the previous tab as an HTTP referrer, even if there was no direct link to the new URL. This will disclose a user's previous browsing information which may include private web space, session information, or login/password information if contained in the referring URL.

TBP 0.6.8 fixes this vulnerability but unfortunately, I am staying with TBP Lite (TBP 0.5)