tedd wrote:
<link rel="stylesheet" type="text/css" media="screen" href="<?php
echo (!$thestyle)?'style1':$thestyle ?>.css" >
It's not entirely clear from this example, but am I correct in
assuming that $thestyle is the same as $_COOKIE['thestyle'] in this
case? In other words, are you relying on register_globals or
assigning the value yourself?
If this is the value directly from the cookie, it's an example of a
cross-site scripting (XSS) vulnerability.
header("Location: $HTTP_REFERER");
This is an HTTP response splitting vulnerability, because the
Referer header (like the Cookie header) is provided by the client.
Future versions of PHP will not allow more than one header per
header() call, but this has been possible until now.
1. Is he right?
Yes, it seems so.
2. How does that work?
The Cookie header is part of an HTTP request. This is sent by the
client, and although the standard mechanism involves the client
returning exactly what you requested (e.g., the value matches that
of a previous Set-Cookie header), there's no guarantee that a
malicious user would be as polite.
3. If so, what do I do to correct this?
Don't trust any input without inspecting it first. In your case,
this is particularly easy, because you can just make sure that the
value is one of the few valid values.
Hope that helps.
Chris
Chris:
Yes, it helps and I thank you for your comments.
Your question: "It's not entirely clear from this example, but am I
correct in assuming that $thestyle is the same as
$_COOKIE['thestyle'] in this case? In other words, are you relying on
register_globals or assigning the value yourself?"
The example is here:
http://www.sperling.com/examples/styleswitch/
The complete php code (i.e., switch.php) is:
<?php
setcookie ('thestyle', $set, time()+31536000, '/', '', 0);
header("Location: $HTTP_REFERER");
?>
And the value is assigned by the user via a click:
<a href="switch.php?set=style2">Green</a> or <a
href="switch.php?set=style1">Red</a>
And, the style sheet is determined by:
<link rel="stylesheet" type="text/css" media="screen" href="<?php
echo(!$thestyle)?'style1':$thestyle ?>.css" >
As such, I am expecting the user to provide the value of 'thestyle'
via his choice.
However, let's say a malicious user would try to do something -- what
could he actually do?
Please explain
Thanks again.
tedd
--
--------------------------------------------------------------------------------
http://sperling.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
