Stefan Priebsch schrieb:
> Richard Lynch schrieb:
>> If a web service really doesn't care whether it is responding to GET
>> or POST or even forged COOKIES to product its output, why would it not
>> just use REQUEST?
>> It's not as if it's any harder to forge GET vs. POST vs. COOKIE data,
>> really.
I am replying to Stefan's mail because I don't see the one by Richrd (yet).

@Richard: You don't understand the Problem with _REQUEST. It is not
about the fact that someone can forge GET, POST; COOKIE variables.
It is about the fact that COOKIEs will overwrite GET and POST data in

Therefore I could infect your browser with a cookie that says e.g.
action=logout and from that day on you cannot use the application
anymore because REQUEST[action] will be logout forever (until you
manually delete the cookie).

And to infect you with a COOKIE is so simple...
a) I could use an XSS vuln in any application on a subdomain
b) Ever tried setting a cookie for * or * when you own a
single domain there?
c) Other cross domain whatever ways...

And if you believe that this is not an issue then I can tell you that
there is a simple possibility to set f.e. a * cookie that results
in several PHP versions just returning white pages.
Imagine: Just a single cookie to kill all PHP pages in *

And by setting an illegal session ID in a cookie valid for * in a
variable called +PHPSESSID=*illegal* you can still DOS every PHP
application in korea using PHP sessions...


PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit:

Reply via email to