Bugtraq mailing list archives
Re: The Dangers of Allowing Users to Post Images
From: "Chris Lambert" <clambert () gamespy com>
Date: Thu, 14 Jun 2001 21:11:14 -0400
Unfortunately, there are way too many sites which simply use HTTP GET. Why? Well, in PHP, variables submitted to the form are all accessible via $theirname upon start of execution. This is a feature for the lazy, as they don't have to reference array $HTTP_POST_VARS, array $HTTP_GET_VARS, or array $HTTP_COOKIE_VARS. So, most PHP scripts taking user input (chat scripts, message boards, poll scripts, user comments, anything...) will consider a POST var the same as a GET var. In Perl, because it wasn't originally tailored to the web (although I don't have much experience with it), I believe that GET is seperated from POST. Yes, it is surprise that this hasn't posted before. The Zope page Sverre linked to is similar, but didn't make the connection with inline images. -- WhiteCrown Networks - Web Application Security www.whitecrown.net - services () whitecrown net ______________________________ / Chris Lambert - cjlambert () home com |-> ICQ #: 16435685 - AIM: ClipperChris `-> Cell: (401) 743-2786 - http://sms.clambert.org/ ----- Original Message ----- From: Richard M. Smith <rms () privacyfoundation org> | This is a *very* interesting finding. It seems | kind of obvious too. I wonder why no one seems | to have run across it before. | This same weakness can be exploited from an | HTML email message also. The bottom line is that | a privileged operation should always require | an HTTP POST and never allow a GET. Hmm, I wonder how many | Web sites break this rule? | Richard M. Smith | CTO, Privacy Foundation | http://www.privacyfoundation.org
Current thread:
- Cross-Site Request Forgeries (Re: The Dangers of Allowing Users to Post Images), (continued)
- Cross-Site Request Forgeries (Re: The Dangers of Allowing Users to Post Images) Peter W (Jun 15)
- Re: The Dangers of Allowing Users to Post Images David Dreezer (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Chris Lambert (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Ryan Kennedy (Jun 16)
- Re: The Dangers of Allowing Users to Post Images Chris Lambert (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Chris Lambert (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Peter W (Jun 16)
- Message not available
- Message not available
- Re: The Dangers of Allowing Users to Post Images Jason Brooke (Jun 18)
- Re: The Dangers of Allowing Users to Post Images Peter W (Jun 16)