tedd wrote:
<link rel="stylesheet" type="text/css" media="screen" href="<?php
echo (!$thestyle)?'style1':$thestyle ?>.css" >
It's not entirely clear from this example, but am I correct in assuming
that $thestyle is the same as $_COOKIE['thestyle'] in this case? In
other words, are you relying on register_globals or assigning the value
yourself?
If this is the value directly from the cookie, it's an example of a
cross-site scripting (XSS) vulnerability.
header("Location: $HTTP_REFERER");
This is an HTTP response splitting vulnerability, because the Referer
header (like the Cookie header) is provided by the client. Future
versions of PHP will not allow more than one header per header() call,
but this has been possible until now.
1. Is he right?
Yes, it seems so.
2. How does that work?
The Cookie header is part of an HTTP request. This is sent by the
client, and although the standard mechanism involves the client
returning exactly what you requested (e.g., the value matches that of a
previous Set-Cookie header), there's no guarantee that a malicious user
would be as polite.
3. If so, what do I do to correct this?
Don't trust any input without inspecting it first. In your case, this is
particularly easy, because you can just make sure that the value is one
of the few valid values.
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
