Unfortunately, there are way too many sites which simply use HTTP GET. Why? Well, in PHP, variables submitted to the form are all accessible via $theirname upon start of execution. This is a feature for the lazy, as they don't have to reference array $HTTP_POST_VARS, array $HTTP_GET_VARS, or array $HTTP_COOKIE_VARS. So, most PHP scripts taking user input (chat scripts, message boards, poll scripts, user comments, anything...) will consider a POST var the same as a GET var. In Perl, because it wasn't originally tailored to the web (although I don't have much experience with it), I believe that GET is seperated from POST. Yes, it is surprise that this hasn't posted before. The Zope page Sverre linked to is similar, but didn't make the connection with inline images. -- WhiteCrown Networks - Web Application Security www.whitecrown.net - servicesat_private ______________________________ / Chris Lambert - cjlambertat_private |-> ICQ #: 16435685 - AIM: ClipperChris `-> Cell: (401) 743-2786 - http://sms.clambert.org/ ----- Original Message ----- From: Richard M. Smith <rmsat_private> | This is a *very* interesting finding. It seems | kind of obvious too. I wonder why no one seems | to have run across it before. | This same weakness can be exploited from an | HTML email message also. The bottom line is that | a privileged operation should always require | an HTTP POST and never allow a GET. Hmm, I wonder how many | Web sites break this rule? | Richard M. Smith | CTO, Privacy Foundation | http://www.privacyfoundation.org
This archive was generated by hypermail 2b30 : Fri Jun 15 2001 - 13:09:45 PDT