NYCPHP Meetup

[nycphp-talk] <a href> vs. <form> request

Chris Shiflett shiflett at php.net
Thu Apr 17 10:50:18 EDT 2003


--- Pinyo Bhulipongsanon <pinyo at nyc.rr.com> wrote:
> New guy here.  This may help.  I use this too, so if you can point out any
> weaknesses, please let me know.
> 
> <?php
> $host = "www.yoururl.com";
> if (!isset($HTTP_REFERRER) || ($HTTP_HOST != $host)) {
>     # access denied message
> }
> ?>

Since you asked... :-)

There are many ways to defeat this, and here is an example. Assume your above
script is named foo.php and outputs "access granted" immediately after your
conditional statement:

[chris at alpha]~> telnet www.yoururl.com 80
Trying 12.34.56.78...
Connected to www.yoururl.com (12.34.56.78).
Escape character is '^]'.
GET /foo.php HTTP/1.1
Host: www.yoururl.com
Referer: http://www.youonlycheckifthisisset.org/


HTTP/1.1 200 OK
Date: Thu, 17 Apr 2003 14:46:11 GMT
Server: Apache
Content-Type: text/html
Content-length: 14

access granted

Connection closed by foreign host.
[chris at alpha]~>

Basically, those variables that start with HTTP are just the headers sent by
the client, so if you trust those for any sort of security, it's like a teacher
asking the students to grade their own papers. It will work fine on honest
people, but those aren't the ones to be concerned with.

Hope that helps.

Chris



More information about the talk mailing list