[PHP-DEV] Bug #10519 Updated: $HTTP_COOKIE_VARS spoofing

Sun, 29 Apr 2001 13:14:30 -0700 

ID: 10519
Updated by: bbonev
Reported By: [EMAIL PROTECTED]
Status: Open
Bug Type: Variables related
PHP Version: 4.0.4pl1
Assigned To: 
Comments:

indeed i have missed one of the points - the fact that when passing data in the array 
form, all the values combine in a single array. further testing showed that the 
cookies also appear in HTTP_GET_VARS. i am sure that if there is a post to an url with 
a get var and some cookies (all varnames in array form) HTTP_*_ARRAY will contain all 
the values.

this issue is a serious concern about the --enable-track-vars code. it must be 
resolved by overwriting the whole arrays, not adding data to them in order to be 
consistent

e.g.

get var: myarr[one]=1
post var: myarr[two]=2
cookie var: myarr[three]=3

gpc order is GPC

the global array $myarr has only the 'one' key

the HTTP_*_VARS have only the proper arrays


Previous Comments:
---------------------------------------------------------------------------

[2001-04-29 13:23:27] [EMAIL PROTECTED]
think about cookies the same way as GET data or POST data - they are at the same level 
and can be spoofed very easy with a cURL client for example. one can tell his client 
what cookie with what value to pass for a given request

the issue here is not security but programmers comfort. but when one uses the short 
representations of variables she must be aware of the GPC order setting.

i think this is the same like overriding a post variable with a get one.

do you think this bug shall be closed?

---------------------------------------------------------------------------

[2001-04-26 21:35:49] [EMAIL PROTECTED]
<?
   setCookie('cookie[one]','one');
   setCookie('cookie[two]','two');

   print_r($HTTP_COOKIE_VARS);
?>

If you access this page with the command line arguement 

?cookie[three]=three 

print_r will show cookie[three] in $HTTP_COOKIE_VARS.

Just a bit of incongrous material, but for some sites could cause problems if cookies 
are spoofed thusly.

Regards

---------------------------------------------------------------------------



ATTENTION! Do NOT reply to this email!
To reply, use the web interface found at http://bugs.php.net/?id=10519&edit=2


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to