Hello, I m not saying the I.E. completely fixed the CSRF attacks, by only allowing .jpg .gif .png files. But it "might" be one possible way to minimize CSRF attack, just like using POST vs GET can help minimize the chances of that attack.
BTW, using POST instead of GET does NOT guarantee that an CSRF attack will not work, either. Thanks. Saqib Ali http://validate.sf.net <<< XHTML/DocBook XML Validator and Transformer "Octavian Rasnita" <[EMAIL PROTECTED]> No Phone Info Available 08/16/2004 12:57 PM To <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> cc "Jay Blanchard" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> Subject Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? Why is so important if Internet Explorer allows URLS of images where the file name is only .jpg, .png, or .gif? A url can be something like: http://www.site.com/script.php/image.jpg?logout=true Internet Explorer might think that the file is a .jpg and that script.php is a directory but only the target web server knows which is the program. Or a PHP code might be contained in a "image.jpg" file. Teddy Teddy ----- Original Message ----- From: "Chris Shiflett" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: "Jay Blanchard" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, August 16, 2004 9:52 PM Subject: RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? > --- [EMAIL PROTECTED] wrote: > > And I m sure all PHP developers check their applications for > > CSRF vulnerability, in various browsers (including I.E. ). > > I speak about CSRF in many of the talks I give, and I think you'd be > surprised by how many people haven't even heard of it. > > > As a PHP/Java developer, I would be interested to know what > > I.E. is doing in their browsers to prevent CSRF attacks. I m > > not trying to start a browser war here. > > Well, to be fair, even if it is true that IE does not request a URL > referenced in an img tag unless the file extension matches a known image > type, this isn't a complete or even optimal solution to the problem. Also, -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
