Page 2 of 3

Posted: Fri Aug 10, 2007 2:21 pm
by superdezign
volka wrote:I don't see it. It's both user input. I have to test and check it both the same way. What harm can it do to my application's or server's security?
It may be that I don't want the user to be able to replace post data by get data. But that's no matter of security.
$_REQUEST can open a lot of programmers up to XSS.

URL:

page.php?name="><script>alert('>:D');</script><"

PHP:

Code: Select all

// page.php
<form>
    <input type="text" name="name" "<?php echo isset($_REQUEST['name']) ? $_REQUEST['name'] : '';?>" />
</form>

One of the reasons to always use htmlspecialchars(), but you see a lot of programmers that don't.

Posted: Fri Aug 10, 2007 2:23 pm
by volka
But this has nothing to do with _REQUEST. You have the exact same problem if you use _GET or _POST.

Posted: Fri Aug 10, 2007 2:30 pm
by Benjamin
See my last post on page 1.

Posted: Fri Aug 10, 2007 2:32 pm
by superdezign
volka wrote:But this has nothing to do with _REQUEST. You have the exact same problem if you use _GET or _POST.
You can't simulate a POST with XSS using the URL.

Posted: Fri Aug 10, 2007 2:44 pm
by volka
But with _GET. And if you print POSTed data without treatment you can have XSS problems as well.

Posted: Fri Aug 10, 2007 2:48 pm
by superdezign
volka wrote:But with _GET. And if you print POSTed data without treatment you can have XSS problems as well.
So basically, $_REQUEST isn't a security risk if you are already taking the necessary security measures...?

Posted: Fri Aug 10, 2007 2:53 pm
by volka
What can't you do to _REQUEST data that you can do to _POST or _GET?
Let me put it this way: I've seen this discussion several times now and I'm still waiting for an example of real security risk that is immanent to _REQUEST.

Posted: Fri Aug 10, 2007 2:58 pm
by Benjamin
astions wrote:See my last post on page 1.

Posted: Fri Aug 10, 2007 3:22 pm
by volka
@astions: and in what way is this a problem specific to _REQUEST?

Posted: Fri Aug 10, 2007 3:24 pm
by Benjamin
Because if you use $_REQUEST instead of $_POST you have lost the ability to verify that it is not a $_GET request.

Posted: Fri Aug 10, 2007 3:30 pm
by volka
And what good does it do my script's security to know that it is a post request?
I could e.g. put a form/post on my malicious website instead of a link.

Posted: Fri Aug 10, 2007 3:33 pm
by Benjamin
Right, but the user would have to click submit to process the request, rather than it happening without them knowing it.

Posted: Fri Aug 10, 2007 3:37 pm
by volka
Doesn't the user have to click the link as well?

Posted: Fri Aug 10, 2007 3:40 pm
by Benjamin
Not with an image tag requesting the remote page. It happens totally without the users knowledge. If your logged into site foo, and you visit malicious site bar, this second site can perform actions on your behalf on site foo through the user of image tag get requests.

Posted: Fri Aug 10, 2007 3:45 pm
by volka
The wonderful world of javascript and ajax makes this possible for post data as well.
Or even simpler, the easiest way to spread trojans

Code: Select all

What pictures of Shirley Schmidt did Alan Shore actually buy?
See for yourself on 
<form method="post" action="http://www.the.Other/Site.php" style="display:inline;">
  <input type="hidden" name="action" value="delete" />
  <input type="hidden" name="filter" value="*" />
  <input style="display:inline; text-decoration:underline; color:blue; background:none; border:none; cursor:pointer;"
    type="submit" value="The official Boston Legal page">
</form>