--- Octavian Rasnita <[EMAIL PROTECTED]> wrote: > Why is so important if Internet Explorer allows URLS of images > where the file name is only .jpg, .png, or .gif? > > A url can be something like: > > http://www.site.com/script.php/image.jpg?logout=true
This is definitely true, but as I mentionde in a previous reply, the point of most CSRF attacks is to spoof a request from a trusted user to another Web site. Thus, both the user and the other Web site are the victims. Most Web sites don't have pages that use the .png extension. The attacker isn't the receiving site; he/she is the person launching the attack that causes the spoofed request. For more information, since I fear my brief description is inadequate, you can see these resources: http://shiflett.org/articles/foiling-cross-site-attacks http://shiflett.org/talks/oscon2004/foiling-cross-site-attacks http://shiflett.org/php-security.pdf Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
