[nycphp-talk] <a href> vs. <form> request
Bhulipongsanon, Pinyo
Pinyo.Bhulipongsanon at usa.xerox.com
Thu Apr 17 11:18:16 EDT 2003
Hi Chris,
Thanks. How would you tighten it up?
Pinyo
-----Original Message-----
From: Chris Shiflett [mailto:shiflett at php.net]
Sent: Thursday, April 17, 2003 10:50 AM
To: NYPHP Talk
Subject: Re: [nycphp-talk] <a href> vs. <form> request
--- Pinyo Bhulipongsanon <pinyo at nyc.rr.com> wrote:
> New guy here. This may help. I use this too, so if you can point out any
> weaknesses, please let me know.
>
> <?php
> $host = "www.yoururl.com";
> if (!isset($HTTP_REFERRER) || ($HTTP_HOST != $host)) {
> # access denied message
> }
> ?>
Since you asked... :-)
There are many ways to defeat this, and here is an example. Assume your
above
script is named foo.php and outputs "access granted" immediately after your
conditional statement:
[chris at alpha]~> telnet www.yoururl.com 80
Trying 12.34.56.78...
Connected to www.yoururl.com (12.34.56.78).
Escape character is '^]'.
GET /foo.php HTTP/1.1
Host: www.yoururl.com
Referer: http://www.youonlycheckifthisisset.org/
HTTP/1.1 200 OK
Date: Thu, 17 Apr 2003 14:46:11 GMT
Server: Apache
Content-Type: text/html
Content-length: 14
access granted
Connection closed by foreign host.
[chris at alpha]~>
Basically, those variables that start with HTTP are just the headers sent by
the client, so if you trust those for any sort of security, it's like a
teacher
asking the students to grade their own papers. It will work fine on honest
people, but those aren't the ones to be concerned with.
Hope that helps.
Chris
--- Unsubscribe at http://nyphp.org/list/ ---
More information about the talk
mailing list