Why is so important if Internet Explorer allows URLS of images where the file name is only .jpg, .png, or .gif?
A url can be something like: http://www.site.com/script.php/image.jpg?logout=true Internet Explorer might think that the file is a .jpg and that script.php is a directory but only the target web server knows which is the program. Or a PHP code might be contained in a "image.jpg" file. Teddy Teddy ----- Original Message ----- From: "Chris Shiflett" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: "Jay Blanchard" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, August 16, 2004 9:52 PM Subject: RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? > --- [EMAIL PROTECTED] wrote: > > And I m sure all PHP developers check their applications for > > CSRF vulnerability, in various browsers (including I.E. ). > > I speak about CSRF in many of the talks I give, and I think you'd be > surprised by how many people haven't even heard of it. > > > As a PHP/Java developer, I would be interested to know what > > I.E. is doing in their browsers to prevent CSRF attacks. I m > > not trying to start a browser war here. > > Well, to be fair, even if it is true that IE does not request a URL > referenced in an img tag unless the file extension matches a known image > type, this isn't a complete or even optimal solution to the problem. Also, -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
