chris.. thanks for the replies... i think i understand what you're stating.. but i'm still confused as to why my app/server would allow a GET/POST piece of data that would/should be originating from a form on my site to come from a 3rd party/external site/app? i would have assumed that there are relatively easy/straight-forward methods to resolve this. are you saying that my assumptions are wrong? i would have thought that it would have been simple to only accept 'data' or to restrict 'data' to forms/apps that are resident on my server/environment... comments/thoughts.... -bruce -----Original Message----- From: Chris Shiflett [mailto:shiflett@xxxxxxx] Sent: Wednesday, September 21, 2005 4:16 PM To: bedouglas@xxxxxxxxxxxxx Cc: 'Jasper Bryant-Greene'; 'PHP Mailing Lists' Subject: Re: security/sql issues with php bruce wrote: > i just read an article that described how someone could have a url of > 'http://foo.com/....' and have the URL in an <img> in their website. > the website could be cat.com. the article implied that if a user would > select the img, the link to the foo.com would be initiated, thereby > fooling the user... > > i'm lost. i was under the impression that any interaction between the > user and foo.com was essentially between the user and 'foo.com'. so that > even though 'cat.com' may have caused the user to hit the link, the > communication still occurs between the user and 'foo.com', not 'cat.com' It sounds like you read an article about CSRF, cross-site request forgeries. This is a bit difficult to explain, and it's a vulnerability that exists in almost every PHP application I've audited. CSRF describes any attack that causes a victim to send a request of the attacker's choosing. In other words, a victim might send a request to http://books.example.org/ without knowing it and without actually visiting a web page at http://books.example.org/. Using an img tag is just one type of attack - it's the most common, but only because it's the easiest. I gave a talk recently that was a hands-on demonstration of a handful of common attacks, and CSRF was one: http://brainbulb.com/talks/php-security-by-example.pdf You can get the code for the exercises here: http://brainbulb.com/phpworks.tar.gz The second exercise is devoted to CSRF, and your first task is to exploit the vulnerability. I think exploiting vulnerabilities is a pretty good way to get a better understanding of them. Unfortunately, viewing the slides of a talk is much less helpful than the talk itself, but maybe there's enough there for you to understand the attack. Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
