WebApp Sec mailing list archives
RE: (clarification) GET and POST Methods Accepted
From: "Derick Anderson" <danderson () vikus com>
Date: Fri, 14 Oct 2005 14:01:01 -0400
-----Original Message----- From: Andrew van der Stock [mailto:vanderaj () greebo net] Sent: Friday, October 14, 2005 12:51 PM To: Amit Klein (AKsecurity) Cc: webappsec () securityfocus com Subject: Re: (clarification) GET and POST Methods Accepted
[...]
Many frameworks (PHP and many J2EE implementations included) use "transparent" relocation of the cookie to GET, and coupled with GET state and poor authorization, replay is possible with poor quality apps.
This extremely irritating behavior can be stopped in PHP by setting a
php.ini variable ("use_only_cookies" if memory serves). However it is
only available since PHP version 4.3.0, again if memory serves.
Derick Anderson
Current thread:
- RE: (clarification) GET and POST Methods Accepted Evans, Arian (Oct 13)
- RE: (clarification) GET and POST Methods Accepted Joe Teff (Oct 13)
- RE: (clarification) GET and POST Methods Accepted Amit Klein (AKsecurity) (Oct 14)
- RE: (clarification) GET and POST Methods Accepted Thomas Schreiber (Oct 14)
- <Possible follow-ups>
- RE: (clarification) GET and POST Methods Accepted Jeff Robertson (Oct 14)
- RE: (clarification) GET and POST Methods Accepted Amit Klein (AKsecurity) (Oct 14)
- Re: (clarification) GET and POST Methods Accepted Andrew van der Stock (Oct 14)
- RE: (clarification) GET and POST Methods Accepted Derick Anderson (Oct 14)
- Re: (clarification) GET and POST Methods Accepted Chris Shiflett (Oct 14)
- Re: (clarification) GET and POST Methods Accepted Greg Skouby (Oct 16)
- Re: (clarification) GET and POST Methods Accepted Chris Shiflett (Oct 14)