mailing list archives
Re: The Dangers of Allowing Users to Post Images
From: "Chris Lambert" <clambert () gamespy com>
Date: Thu, 14 Jun 2001 21:11:14 -0400
Unfortunately, there are way too many sites which simply use HTTP GET. Why?
Well, in PHP, variables submitted to the form are all accessible via
$theirname upon start of execution. This is a feature for the lazy, as they
don't have to reference array $HTTP_POST_VARS, array $HTTP_GET_VARS, or
array $HTTP_COOKIE_VARS. So, most PHP scripts taking user input (chat
scripts, message boards, poll scripts, user comments, anything...) will
consider a POST var the same as a GET var.
In Perl, because it wasn't originally tailored to the web (although I don't
have much experience with it), I believe that GET is seperated from POST.
Yes, it is surprise that this hasn't posted before. The Zope page Sverre
linked to is similar, but didn't make the connection with inline images.
WhiteCrown Networks - Web Application Security
www.whitecrown.net - services () whitecrown net
/ Chris Lambert - cjlambert () home com
|-> ICQ #: 16435685 - AIM: ClipperChris
`-> Cell: (401) 743-2786 - http://sms.clambert.org/
----- Original Message -----
From: Richard M. Smith <rms () privacyfoundation org>
| This is a *very* interesting finding. It seems
| kind of obvious too. I wonder why no one seems
| to have run across it before.
| This same weakness can be exploited from an
| HTML email message also. The bottom line is that
| a privileged operation should always require
| an HTTP POST and never allow a GET. Hmm, I wonder how many
| Web sites break this rule?
| Richard M. Smith
| CTO, Privacy Foundation
Re: The Dangers of Allowing Users to Post Images Chris Lambert (Jun 15)
Re: The Dangers of Allowing Users to Post Images Dmitry Yu. Bolkhovityanov (Jun 19)
- Cross-Site Request Forgeries (Re: The Dangers of Allowing Users to Post Images), (continued)