Captcha ZDR - leave comments

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
zdrsoft
Forum Newbie
Posts: 3
Joined: Thu Feb 08, 2007 5:44 am

Captcha ZDR - leave comments

Post by zdrsoft »

Please review and leave your comment about that new captcha class writen in PHP.

Captcha ZDR anti spamm protection

Best regards
zdrsoft
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Since you generate html that simply outputs session_id() i'm affraid it opens your form for XSS attacks... (all the user needs to know is the session_name and then he can request the form with ?%session_name%=%some xss attack vector% )
zdrsoft
Forum Newbie
Posts: 3
Joined: Thu Feb 08, 2007 5:44 am

OK

Post by zdrsoft »

timvw wrote:Since you generate html that simply outputs session_id() i'm affraid it opens your form for XSS attacks... (all the user needs to know is the session_name and then he can request the form with ?%session_name%=%some xss attack vector% )
Thank you for your advice. I'll fix that.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

Ask this guy for an oppinion: http://sam.zoy.org/pwntcha/
(Здрасти;)
Post Reply