NYCPHP Meetup

[nycphp-talk] <a href> vs. <form> request

Bhulipongsanon, Pinyo Pinyo.Bhulipongsanon at usa.xerox.com
Thu Apr 17 11:18:16 EDT 2003


Hi Chris,

Thanks.  How would you tighten it up?

Pinyo

-----Original Message-----
From: Chris Shiflett [mailto:shiflett at php.net]
Sent: Thursday, April 17, 2003 10:50 AM
To: NYPHP Talk
Subject: Re: [nycphp-talk] <a href> vs. <form> request


--- Pinyo Bhulipongsanon <pinyo at nyc.rr.com> wrote:
> New guy here.  This may help.  I use this too, so if you can point out any
> weaknesses, please let me know.
> 
> <?php
> $host = "www.yoururl.com";
> if (!isset($HTTP_REFERRER) || ($HTTP_HOST != $host)) {
>     # access denied message
> }
> ?>

Since you asked... :-)

There are many ways to defeat this, and here is an example. Assume your
above
script is named foo.php and outputs "access granted" immediately after your
conditional statement:

[chris at alpha]~> telnet www.yoururl.com 80
Trying 12.34.56.78...
Connected to www.yoururl.com (12.34.56.78).
Escape character is '^]'.
GET /foo.php HTTP/1.1
Host: www.yoururl.com
Referer: http://www.youonlycheckifthisisset.org/


HTTP/1.1 200 OK
Date: Thu, 17 Apr 2003 14:46:11 GMT
Server: Apache
Content-Type: text/html
Content-length: 14

access granted

Connection closed by foreign host.
[chris at alpha]~>

Basically, those variables that start with HTTP are just the headers sent by
the client, so if you trust those for any sort of security, it's like a
teacher
asking the students to grade their own papers. It will work fine on honest
people, but those aren't the ones to be concerned with.

Hope that helps.

Chris


--- Unsubscribe at http://nyphp.org/list/ ---




More information about the talk mailing list