hacking by url rewriting
Posted: Fri Aug 22, 2014 8:16 am
Hi all,
I have a security problem with my website who is a social network (like facebook).
Let's me Explain :
You can execute this page on my website.
http://www.SocialNetWork.com/ChangeStat ... aram=Hello
So your status become "Hello".
On your profile, you can create a link to a picture on the web, for example : <img src='http://www.hacking.com/pic.jpg'>
The problem is that a "hacker" create several russian girl profile and made links to pic.jpg on his server, and this .jpg file rewrite URL to : http://www.SocialNetWork.com/ChangeStat ... param=Suck.
So when you visite his profil, the php code is launched, and the status OF THE VISITOR is changed !
I have no idea of how to stop this ?
If i check the variable : $_SERVER['HTTP_REFERER']
The value is empty or http://www.SocialNetWork.com, but never http://www.hacking.com ...
How can i stop the fact that a foreign picture could launch a php page on my website ?
thanks for help !
ps: sorry for my english
I have a security problem with my website who is a social network (like facebook).
Let's me Explain :
You can execute this page on my website.
http://www.SocialNetWork.com/ChangeStat ... aram=Hello
So your status become "Hello".
On your profile, you can create a link to a picture on the web, for example : <img src='http://www.hacking.com/pic.jpg'>
The problem is that a "hacker" create several russian girl profile and made links to pic.jpg on his server, and this .jpg file rewrite URL to : http://www.SocialNetWork.com/ChangeStat ... param=Suck.
So when you visite his profil, the php code is launched, and the status OF THE VISITOR is changed !
I have no idea of how to stop this ?
If i check the variable : $_SERVER['HTTP_REFERER']
The value is empty or http://www.SocialNetWork.com, but never http://www.hacking.com ...
How can i stop the fact that a foreign picture could launch a php page on my website ?
thanks for help !
ps: sorry for my english