tedd wrote:
<link rel="stylesheet" type="text/css" media="screen" href="<?php echo (!$thestyle)?'style1':$thestyle ?>.css" >
It's not entirely clear from this example, but am I correct in assuming that $thestyle is the same as $_COOKIE['thestyle'] in this case? In other words, are you relying on register_globals or assigning the value yourself?
If this is the value directly from the cookie, it's an example of a cross-site scripting (XSS) vulnerability.
header("Location: $HTTP_REFERER");
This is an HTTP response splitting vulnerability, because the Referer header (like the Cookie header) is provided by the client. Future versions of PHP will not allow more than one header per header() call, but this has been possible until now.
1. Is he right?
Yes, it seems so.
2. How does that work?
The Cookie header is part of an HTTP request. This is sent by the client, and although the standard mechanism involves the client returning exactly what you requested (e.g., the value matches that of a previous Set-Cookie header), there's no guarantee that a malicious user would be as polite.
3. If so, what do I do to correct this?
Don't trust any input without inspecting it first. In your case, this is particularly easy, because you can just make sure that the value is one of the few valid values.
Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php