Re: [Phplib-users] store the IP in the session
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] store the IP in the session
|
From: Giancarlo <gia...@na...> - 2002-12-07 22:19:33
|
> This is a cross site scripting vulnerability inherent to the way HTTP works. There is no scripting involved here, it is a plain url. > There is nothing we can do to prevent this. If someone allows HTTP entry on > their site, You can prevent scripting by parsing quotes etc, because they are not allowed inside links. If a link is a danger, any wiki or annotation becomes a danger. Credentials in the url, if treated, should be sorta quaranteened or screened, and not alloweb do mixmax. That's way I propose 'unrepeatable' use-once sequences, made of a fixed part and a secretly preagreed rest. Dunno if amazon does so ;-) > then that is the risk they take. This could easily enough occur > with another security breach and a page replacement. This is an application > question. > > Referer is not set in the case of Javascript navigation, page refresh, > typeing in a direct url, etc. etc. etc. Ok, so why should I accept a GET sid without a referer? >>it intervenes only when there is a referer. But we can block when there >>is no referer > Yes, so use SSL. Problem solved. Again you forget links : https://aaa.com/?PHPSESSID=foo > Here is an example: > > XYZ has written an app that does not do input filtering and someone enters > javascript to read the session cookie and send it to them. They get it, > creat the cookie, and now they can hijack the session. No matter how much > code is written, without some method of identifying the remote user, either > through a certificate or something. That hasn't taken off in so many years now... > You are trying to solve a problem that has plagued tcp for years. If you > open a session, and someone guesses the sequence number, anyone can tell to use 'foo', with php4 session! > then they can > hijack the session. #281 Gian |
