[UPHPU] receiving with $_REQUEST

Joshua Simpson std3rr at gmail.com
Thu Feb 28 17:00:20 MST 2008


On Thu, Feb 28, 2008 at 3:56 PM, Wade Preston Shearer <lists at wadeshearer.com>
wrote:

>
> I wasn't referring to CSRF. I was showing how the shopping cart/
> MySpace example wasn't a valid reason against using REQUEST as the
> hacker can fake-post to the shopping cart just as east as he can fake-
> get to the shopping cart, both without user interaction.
>

The example was one of CSRF.  CSRF would use the already logged-in user's
(that you left the <img> comment) auth. Meaning that, although the hacker
was the one who added the <img>, the system thinks YOU'RE posting the form.
Thus, you can change passwords, delete accounts, whatever else is allowed
via GET and the user's authentication.  Hope that's a better explanation.

dw

-- 
-
http://stderr.ws/
"Insert pseudo-insightful quote here." - Some Guy


More information about the UPHPU mailing list