>>
>> If this is the value directly from the cookie, it's an example of a
>> cross-site scripting (XSS) vulnerability.
>>
>>> header("Location: $HTTP_REFERER");
>>
>>
>> This is an HTTP response splitting vulnerability, because the Referer
>> header (like the Cookie header) is provided by the client. Future
>> versions of PHP will not allow more than one header per header() call,
>> but this has been possible until now.
>>
>>
>>> 3. If so, what do I do to correct this?
>>
>>
>> Don't trust any input without inspecting it first. In your case, this
>> is particularly easy, because you can just make sure that the value is
>> one of the few valid values.
>>
>> Hope that helps.
>>
>> Chris
>
>
> Chris:
>
> Yes, it helps and I thank you for your comments.
>
> Your question: "It's not entirely clear from this example, but am I
> correct in assuming that $thestyle is the same as $_COOKIE['thestyle']
> in this case? In other words, are you relying on register_globals or
> assigning the value yourself?"
>
> The example is here:
>
> http://www.sperling.com/examples/styleswitch/
>
> The complete php code (i.e., switch.php) is:
>
> <?php
> setcookie ('thestyle', $set, time()+31536000, '/', '', 0);
> header("Location: $HTTP_REFERER");
> ?>
>
> And the value is assigned by the user via a click:
>
> <a href="switch.php?set=style2">Green</a> or <a
> href="switch.php?set=style1">Red</a>
>
> And, the style sheet is determined by:
>
> <link rel="stylesheet" type="text/css" media="screen" href="<?php
> echo(!$thestyle)?'style1':$thestyle ?>.css" >
>
> As such, I am expecting the user to provide the value of 'thestyle' via
> his choice.
>
> However, let's say a malicious user would try to do something -- what
> could he actually do?
The user could insert arbitary HTML where you have the variable. For
example they could insert:
style1.css"><script language="JavaScript"
type="text/JavaScript">...</script><meta name="bye" content="
This would allow them to run arbitary javascript on the clients computer.
An interesting question in this case is how to do an injection using
cookies, injection attacks are generally performed using post & get data
as they can be inserted to a link on another page. Getting a working
exploit would probably come down to how the browser implemented the
cookie security; who can set cookies where.
Regardless, it's not worth the risk. Checking for valid values or using
htmlentities to make the variable safe is a quick and simple solution.
Getting into the practice of screening all user data either manually or
using the input_filter extension will also save you from these problems
in the future.
David
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
