ECTED]>
No Phone Info Available
08/16/2004 04:57 PM
To
<[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
cc
<[EMAIL PROTECTED]>
Subject
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
> -Original Message-
> However a CSRF attack is NOT trying to access a third par
> -Original Message-
> However a CSRF attack is NOT trying to access a third party cookie.
>
> The web browser make the same GET request whether it is using TAG
> or the user clicking on a link. So in either case the cookies are in the
> context of the website to which the cookies belong.
I was able to confirm / reproduce what you're experiencing. I was also able
to confirm that toggling IE 6's acceptance of 3rd party cookies changes the
behavior.
Create an HTML on your local machine with the following line:
http://www.atfantasy.com/test/image_status.php";>
It'll load an image t
--- [EMAIL PROTECTED] wrote:
> To give some details:
>
> I am unable to re-produce a CSRF attack when the victim is
> using a I.E. 6.01 SP1 (all patches applied). However the
> attack works in Mozilla and other older browsers.
>
> I can't give you the exact code for attack (for security
> reasons
--- Ed Lazor <[EMAIL PROTECTED]> wrote:
> The link below goes to a page I found that describes CSRF a
> little differently than what Chris was presenting - to give a
> different perspective on things.
>
> http://www.squarefree.com/securitytips/web-developers.html
It doesn't seem to be different,
--- Curt Zirzow <[EMAIL PROTECTED]> wrote:
> I'm not sure how the /. logout system works, but my guess is
> that they rely on cookies to do this. Since that is a different
> site than from the originating file, those cookies would be
> considered third party. I know in IE you can disable third
> pa
--- [EMAIL PROTECTED] wrote:
> Hello Curt,
>
> Yes, the /. system depends on cookies to keep the user logged
> in.
>
> However a CSRF attack is NOT trying to access a third party
> cookie.
>
> The web browser make the same GET request whether it is using
> TAG or the user clicking on a link. So
XHTML/DocBook XML Validator and Transformer
"Ed Lazor" <[EMAIL PROTECTED]>
No Phone Info Available
08/16/2004 02:26 PM
To
<[EMAIL PROTECTED]>
cc
Subject
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
> -Original Message-
> So now I am completely
> -Original Message-
> So now I am completely clueless as to why this particular attacks works in
> Mozilla but not in IE.
Could you describe the problem again and give full detail? I think we need
to better model the problem in order to present a more effective solution.
The link below
* Thus wrote [EMAIL PROTECTED]:
> Hello Chris,
>
> I can't share the exact code ;) , but here is something very similar:
>
> http://slashdot.org/my/logout"; height="1" width="1">
>
> If I load a web page with the above code, it should log me out of
> slashdot. It works in Mozilla (and netscape)
cc
Subject
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
* Thus wrote [EMAIL PROTECTED]:
> Hello Chris,
>
> I can't share the exact code ;) , but here is something very similar:
>
> http://slashdot.org/my/logout"; height="1" width="1"&g
--- [EMAIL PROTECTED] wrote:
> Upon your suggestion, I used a sniffer to sniff traffic for
> the web app that I am working on.
>
> To my surprise, the data captured during the sniff for both
> browsers was exactly the same.
Can you elaborate or post the exact requests sent from each browser? I'm
--- Octavian Rasnita <[EMAIL PROTECTED]> wrote:
> Why is so important if Internet Explorer allows URLS of images
> where the file name is only .jpg, .png, or .gif?
>
> A url can be something like:
>
> http://www.site.com/script.php/image.jpg?logout=true
This is definitely true, but as I mentiond
EMAIL PROTECTED]
To
[EMAIL PROTECTED], [EMAIL PROTECTED]
cc
[EMAIL PROTECTED], [EMAIL PROTECTED]
Subject
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- [EMAIL PROTECTED] wrote:
> I can't share the exact code ;) , but here is something very
> similar:
>
> http://sl
ECTED]>
cc
"Jay Blanchard" <[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
Subject
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Why is so important if Internet Explorer allows URLS of images where the
file name is only .jpg, .png, or .g
;;
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Monday, August 16, 2004 9:52 PM
Subject: RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
> --- [EMAIL PROTECTED] wrote:
> > And I m sure all PHP developers check their applications for
> > CSRF vulnerability, in vari
> -Original Message-
> Definitely, but most CSRF attacks are meant to spoof a request from the
> legitimate user to some Web site where he/she already has privilege. Thus,
> the receiving site is usually as much the victim as the user.
>
> I'm not sure if that makes any sense... :-)
It do
--- Ed Lazor <[EMAIL PROTECTED]> wrote:
> Wouldn't it work to just make the script spit out a mime type
> header and a small (1x1) image when it's done to satisfy the
> browser's mime type requirements?
Definitely, but most CSRF attacks are meant to spoof a request from the
legitimate user to some
> -Original Message-
> The best information would be if you can capture the exact HTTP
> transactions involved. For example, using something like ethereal, capture
> the request and response for Mozilla, and then do the same for IE 6.01
> SP1.
>
> Short of that, you could create a URL spec
What if you add a random seed to the URL?
> -Original Message-
> Hello Chris,
>
> I can't share the exact code ;) , but here is something very similar:
>
> http://slashdot.org/my/logout"; height="1" width="1">
>
> If I load a web page with the above code, it should log me out of
> s
> -Original Message-
> Jay Blanchard wrote:
> > FYI -> This is (or use to be) a PHP list
>
> If I have a web server running php, how do I change the oil in my car?
Have you tried the OilChange class from PHPClasses.org? ;)
-Ed
--
PHP General Mailing List (http://www.php.net/)
To unsubs
--- [EMAIL PROTECTED] wrote:
> I can't share the exact code ;) , but here is something very
> similar:
>
> http://slashdot.org/my/logout"; height="1" width="1">
>
> If I load a web page with the above code, it should log me out
> of slashdot. It works in Mozilla (and netscape), but not in I.E.
>
--- [EMAIL PROTECTED] wrote:
> And I m sure all PHP developers check their applications for
> CSRF vulnerability, in various browsers (including I.E. ).
I speak about CSRF in many of the talks I give, and I think you'd be
surprised by how many people haven't even heard of it.
> As a PHP/Java deve
tscape), but not in I.E. 6.01 SP1
downloads.seagate.com
Chris Shiflett <[EMAIL PROTECTED]>
No Phone Info Available
08/16/2004 11:24 AM
Please respond to
[EMAIL PROTECTED]
To
[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED]
cc
Subject
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
---
[snip]
Yup I think my posting is very on-topic. The application that
I am working on is written in PHP.
[/snip]
Thanks for stating that in your original post.
respond to
[EMAIL PROTECTED]
To
Jay Blanchard <[EMAIL PROTECTED]>,
[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED]
cc
Subject
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- Jay Blanchard <[EMAIL PROTECTED]> wrote:
> You would have to ask the Microsoft Devel
--- Jay Blanchard <[EMAIL PROTECTED]> wrote:
> [snip]
> Perhaps the question could be asked another way and be more on
> topic.
>
> Is there a fix in I.E. 6.01 that would interfere with PHP being
> able to generate different mime types on the fly, like .png or
> .jpg
> [/snip]
>
> a. But that
--- [EMAIL PROTECTED] wrote:
> My question: Is I.E. 6.01 SP1 doing something to foil the CSRF
> attack, i.e. only allow image extensions .gif .png .jpeg?
This seems highly unlikely. Can you show us the code you're using to test?
Chris
=
Chris Shiflett - http://shiflett.org/
PHP Security
Jay Blanchard wrote:
FYI -> This is (or use to be) a PHP list
If I have a web server running php, how do I change the oil in my car?
--
John C. Nichel
ÜberGeek
KegWorks.com
716.856.9675
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/uns
--- Jay Blanchard <[EMAIL PROTECTED]> wrote:
> You would have to ask the Microsoft Development Group, who
> probably does not subscribe to this list. Crossposting is bad.
> Being OT during a crosspost is even worse. I can hear the
> falmethrowers warming up in the wings.
>
> FYI -> This is (or use
[snip]
Perhaps the question could be asked another way and be more on topic.
Is there a fix in I.E. 6.01 that would interfere with PHP being able to
generate different mime types on the fly, like .png or .jpg
[/snip]
a. But that wasn't what he asked.
2. Top-posting === bad
--
PHP General Mai
PROTECTED]
Sent: Monday, August 16, 2004 10:57 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
[snip]
I am working on securing an application that uses CDSSO (Cross Domain
Single Sign On).
I am trying to reproduce the CSRF
[snip]
I am working on securing an application that uses CDSSO (Cross Domain
Single Sign On).
I am trying to reproduce the CSRF (Cross Site Request Forgery) attack
(using TAG) in I.E. 6.01, but am unable to do so. However the
attack works on Mozilla and other older browsers.
My question: Is
Hello All,
I am working on securing an application that uses CDSSO (Cross Domain
Single Sign On).
I am trying to reproduce the CSRF (Cross Site Request Forgery) attack
(using TAG) in I.E. 6.01, but am unable to do so. However the
attack works on Mozilla and other older browsers.
My questio
34 matches
Mail list logo