love your insight into this and the clear example you gave!
I tried to get the header code to work, but it wouldn't execute the php code,
so I went to my saved books on devx/Safari and got some code from the PHP
Cookbook about using a form with hidden variables to send the user to the
clicked link, and all works well now. (and I'll add the acceptable urls code
now)
example from PHP Cookbook, section 8.3.4:
<html>
<body onload="document.getElementById('redirectForm').submit()">
<form id='redirectForm' method='POST' action='/done.html'>
<input type='hidden' name='status' value='complete'/>
<input type='hidden' name='id' value='0u812'/>
<input type='submit' value='Please Click Here To Continue'/>
</form>
</body>
</html>
and just changed the action to where the user is to go and commented out the
submit input line so the button wouldn't show and put my php code after the
body tag.
Susan
----- Original Message ----
From: Rolan Yang <[EMAIL PROTECTED]>
To: NYPHP Talk <talk@lists.nyphp.org>
Sent: Friday, February 22, 2008 8:47:37 AM
Subject: Re: [nyphp-talk] javascript calling php function
csnyder wrote:
> Right, you can't trust the referer if you fear scripted attacks.
>
> John, is that what you were talking about, or was it something more
> abstract and seo-related?
>
> I was picturing people using the open redirect to take advantage of
> your page rank by causing your site to link to theirs.
>
>
Your paranoia is well justified. Open redirects are exploited by
unsavory people in a number of ways. I came across a phishing email
recently posing as a fake "Paypal confirmation". In the page was a link
which appeared to point at aol.com (some 1/2 internet savvy people
glance at the url to see if it points to a "reputable" site before
clicking away on it). The aol.com link led to a well constructed
imitation of the Paypal login page which was intended to maliciously
steal accounts. Here is an example of the link:
http://www.aol.com/redir.adp?_e_t=ap&_a_v=2.0&_a_i=100124311x1116601028x1077500809&_url=http://www.nyphp.org
If you want to peek at a copy of the original phishing mail, check out
http://www.datawhorehouse.com/0day/paypalphish
The safer thing for Susan to do would probably be to put all the valid
redirect URL's in an array like:
redir.php:
<?php
$validURLS=array('
0=>'www.mysite.com',
1=>'www.yahoo.com',
2=>'www.nyphp.org',
3=>'www.php.net'
);
// some code to store hit in db logs goes here
header('Location: http://'.intval($_GET['r']));
?>
~Rolan
~Rolan
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
