WebApp Sec mailing list archives
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
From: "Octavian Rasnita" <orasnita () fcc ro>
Date: Mon, 16 Aug 2004 22:57:17 +0300
Why is so important if Internet Explorer allows URLS of images where the file name is only .jpg, .png, or .gif? A url can be something like: http://www.site.com/script.php/image.jpg?logout=true Internet Explorer might think that the file is a .jpg and that script.php is a directory but only the target web server knows which is the program. Or a PHP code might be contained in a "image.jpg" file. Teddy Teddy ----- Original Message ----- From: "Chris Shiflett" <shiflett () php net> To: <Saqib.N.Ali () seagate com> Cc: "Jay Blanchard" <jay.blanchard () niicommunications com>; <php-general () lists php net>; <webappsec () securityfocus com> Sent: Monday, August 16, 2004 9:52 PM Subject: RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- Saqib.N.Ali () seagate com wrote:And I m sure all PHP developers check their applications for CSRF vulnerability, in various browsers (including I.E. ).I speak about CSRF in many of the talks I give, and I think you'd be surprised by how many people haven't even heard of it.As a PHP/Java developer, I would be interested to know what I.E. is doing in their browsers to prevent CSRF attacks. I m not trying to start a browser war here.Well, to be fair, even if it is true that IE does not request a URL referenced in an img tag unless the file extension matches a known image type, this isn't a complete or even optimal solution to the problem. Also,
Current thread:
- Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? Chris Shiflett (Aug 17)
- <Possible follow-ups>
- Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? Chris Shiflett (Aug 17)
- RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? Jay Blanchard (Aug 17)
- RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? Chris Shiflett (Aug 17)
- RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? Chris Shiflett (Aug 17)
- Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? Octavian Rasnita (Aug 17)
- Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? Chris Shiflett (Aug 17)
- Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? Octavian Rasnita (Aug 17)
- Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? Chris Shiflett (Aug 17)
- RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? Vail, Warren (Aug 17)
- RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? Ed Lazor (Aug 17)
- RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? Michael Silk (Aug 18)