On Feb 28, 2008, at 2:46 PM, Wade Preston Shearer wrote:
For example, you might offer a one-click purchase button:
<form action="https://www.yourcompany.com/cart.php"; method="post">
<input type="hidden" name="product_id" value="12345" />
<input type="submit" name="submit" value="Buy this product now" />
</form>
If you use $_REQUEST instead of $_POST, then visiting the following
URL will also cause your product to be purchased:
https://www.yourcompany.com/cart.php?product_id=12345&submit=Buy%20this%20product%20now
Now, let's say a hacker embeds the above URL in his MySpace page as
an image.
<img src="https://www.yourcompany.com/cart.php?product_id=12345&submit=Buy%20this%20product%20now
" />
Any of your previously authenticated customers who visit this
hacker's MySpace page will automatically purchase your product
without knowing it.
This is called cross-site request forgery (CSRF):
http://en.wikipedia.org/wiki/Cross-site_request_forgery
While requiring slightly more work for the hacker, how is this any
different from you using $_POST and the hacker putting a button on
his site that runs a script that posts straight to your script?
In my scenario, the user has to only visit the MySpace page. In your
scenario, the user has to click a submit button.
_______________________________________________
UPHPU mailing list
[email protected]
http://uphpu.org/mailman/listinfo/uphpu
IRC: #uphpu on irc.freenode.net
