Home page logo

bugtraq logo Bugtraq mailing list archives

Re: The Dangers of Allowing Users to Post Images
From: "Chris Lambert" <clambert () gamespy com>
Date: Thu, 14 Jun 2001 21:11:14 -0400

Unfortunately, there are way too many sites which simply use HTTP GET. Why?
Well, in PHP, variables submitted to the form are all accessible via
$theirname upon start of execution. This is a feature for the lazy, as they
don't have to reference array $HTTP_POST_VARS, array $HTTP_GET_VARS, or
array $HTTP_COOKIE_VARS. So, most PHP scripts taking user input (chat
scripts, message boards, poll scripts, user comments, anything...) will
consider a POST var the same as a GET var.

In Perl, because it wasn't originally tailored to the web (although I don't
have much experience with it), I believe that GET is seperated from POST.

Yes, it is surprise that this hasn't posted before. The Zope page Sverre
linked to is similar, but didn't make the connection with inline images.
WhiteCrown Networks - Web Application Security
www.whitecrown.net - services () whitecrown net
/ Chris Lambert - cjlambert () home com
|-> ICQ #: 16435685 - AIM: ClipperChris
`-> Cell: (401) 743-2786 - http://sms.clambert.org/

----- Original Message -----
From: Richard M. Smith <rms () privacyfoundation org>

| This is a *very* interesting finding.  It seems
| kind of obvious too.  I wonder why no one seems
| to have run across it before.

| This same weakness can be exploited from an
| HTML email message also.  The bottom line is that
| a privileged operation should always require
| an HTTP POST and never allow a GET.  Hmm, I wonder how many
| Web sites break this rule?

| Richard M. Smith
| CTO, Privacy Foundation
| http://www.privacyfoundation.org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]