On Fri, Jun 27, 2008 at 1:36 PM, Richard Heyes <richardh@xxxxxxxxxxx> wrote:
>> if (isset($_COOKIE["auth"]) && !isset($_GET["page"]))
>> {
>> include($GLOBALS['admin_index']);
>> die();
>> }
>
> Your script is awfully insecure. $_COOKIE is user supplied, so in if I hand
> craft a request, I could just send an auth cookie which is set to 1. Relying
> on people not knowing is not good, especially as you've just posted you
> authentictaion method to the world.
It should also be noted that this code:
<?php
// Check for previous authentication
if (isset($_COOKIE["auth"]) && isset($_GET["page"]))
{
include($_GET["page"].".php");
die();
}
?>
.... is EXTREMELY dangerous. When I perform pen testing for
websites, one of the first things I do is check to see if I can
include other files. Because from there, I can gain privilege
escalation by forcing an upload and calling the file directly. I've
broken literally hundreds of websites this way --- no joke.
NEVER leave it up to the user to decide what they can access.
Always expect specific input and handle (and filter!) it accordingly.
If something comes up that you don't expect, force it to error out.
You'll be sorry otherwise.
--
</Daniel P. Brown>
Dedicated Servers - Intel 2.4GHz w/2TB bandwidth/mo. starting at just
$59.99/mo. with no contract!
Dedicated servers, VPS, and hosting from $2.50/mo.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
