On Thu, Feb 28, 2008 at 3:56 PM, Wade Preston Shearer <[EMAIL PROTECTED]> wrote:
> > I wasn't referring to CSRF. I was showing how the shopping cart/ > MySpace example wasn't a valid reason against using REQUEST as the > hacker can fake-post to the shopping cart just as east as he can fake- > get to the shopping cart, both without user interaction. > The example was one of CSRF. CSRF would use the already logged-in user's (that you left the <img> comment) auth. Meaning that, although the hacker was the one who added the <img>, the system thinks YOU'RE posting the form. Thus, you can change passwords, delete accounts, whatever else is allowed via GET and the user's authentication. Hope that's a better explanation. dw -- - http://stderr.ws/ "Insert pseudo-insightful quote here." - Some Guy _______________________________________________ UPHPU mailing list [email protected] http://uphpu.org/mailman/listinfo/uphpu IRC: #uphpu on irc.freenode.net
