Stefan Priebsch schrieb: > Richard Lynch schrieb: >> If a web service really doesn't care whether it is responding to GET >> or POST or even forged COOKIES to product its output, why would it not >> just use REQUEST? >> >> It's not as if it's any harder to forge GET vs. POST vs. COOKIE data, >> really. > I am replying to Stefan's mail because I don't see the one by Richrd (yet).
@Richard: You don't understand the Problem with _REQUEST. It is not about the fact that someone can forge GET, POST; COOKIE variables. It is about the fact that COOKIEs will overwrite GET and POST data in REQUEST. Therefore I could infect your browser with a cookie that says e.g. action=logout and from that day on you cannot use the application anymore because REQUEST[action] will be logout forever (until you manually delete the cookie). And to infect you with a COOKIE is so simple... a) I could use an XSS vuln in any application on a subdomain b) Ever tried setting a cookie for *.co.uk or *.co.kr when you own a single domain there? c) Other cross domain whatever ways... And if you believe that this is not an issue then I can tell you that there is a simple possibility to set f.e. a *.co.kr cookie that results in several PHP versions just returning white pages. Imagine: Just a single cookie to kill all PHP pages in *.co.kr And by setting an illegal session ID in a cookie valid for *.co.kr in a variable called +PHPSESSID=*illegal* you can still DOS every PHP application in korea using PHP sessions... Greetings, Stefan -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
