Re: [PHP] setcookie security concerns
An interesting question in this case is how to do an injection using cookies, injection attacks are generally performed using post & get data as they can be inserted to a link on another page. Getting a working exploit would probably come down to how the browser implemented the cookie security; who can set cookies where. Regardless, it's not worth the risk. Checking for valid values or using htmlentities to make the variable safe is a quick and simple solution. Getting into the practice of screening all user data either manually or using the input_filter extension will also save you from these problems in the future. David David: I thank you for your explanation. I experienced an injection attack on a php-form I wrote/provided where someone entered an incomplete html tag that created problems for the form. So, I realize the potential, I just don't know the scope of those types of problems and that was one of the reasons why I asked about this specific cookie issue. What could a hacker do by injecting whatever into a cookie that resides client-side on his computer? tedd ps: With the form, I solved it by using htmlentities -- http://sperling.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] setcookie security concerns
>> >> If this is the value directly from the cookie, it's an example of a >> cross-site scripting (XSS) vulnerability. >> >>> header("Location: $HTTP_REFERER"); >> >> >> This is an HTTP response splitting vulnerability, because the Referer >> header (like the Cookie header) is provided by the client. Future >> versions of PHP will not allow more than one header per header() call, >> but this has been possible until now. >> >> >>> 3. If so, what do I do to correct this? >> >> >> Don't trust any input without inspecting it first. In your case, this >> is particularly easy, because you can just make sure that the value is >> one of the few valid values. >> >> Hope that helps. >> >> Chris > > > Chris: > > Yes, it helps and I thank you for your comments. > > Your question: "It's not entirely clear from this example, but am I > correct in assuming that $thestyle is the same as $_COOKIE['thestyle'] > in this case? In other words, are you relying on register_globals or > assigning the value yourself?" > > The example is here: > > http://www.sperling.com/examples/styleswitch/ > > The complete php code (i.e., switch.php) is: > >setcookie ('thestyle', $set, time()+31536000, '/', '', 0); >header("Location: $HTTP_REFERER"); >?> > > And the value is assigned by the user via a click: > >Green or href="switch.php?set=style1">Red > > And, the style sheet is determined by: > > > > As such, I am expecting the user to provide the value of 'thestyle' via > his choice. > > However, let's say a malicious user would try to do something -- what > could he actually do? The user could insert arbitary HTML where you have the variable. For example they could insert: style1.css">...http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] setcookie security concerns
tedd wrote: It's not entirely clear from this example, but am I correct in assuming that $thestyle is the same as $_COOKIE['thestyle'] in this case? In other words, are you relying on register_globals or assigning the value yourself? If this is the value directly from the cookie, it's an example of a cross-site scripting (XSS) vulnerability. header("Location: $HTTP_REFERER"); This is an HTTP response splitting vulnerability, because the Referer header (like the Cookie header) is provided by the client. Future versions of PHP will not allow more than one header per header() call, but this has been possible until now. 1. Is he right? Yes, it seems so. 2. How does that work? The Cookie header is part of an HTTP request. This is sent by the client, and although the standard mechanism involves the client returning exactly what you requested (e.g., the value matches that of a previous Set-Cookie header), there's no guarantee that a malicious user would be as polite. 3. If so, what do I do to correct this? Don't trust any input without inspecting it first. In your case, this is particularly easy, because you can just make sure that the value is one of the few valid values. Hope that helps. Chris Chris: Yes, it helps and I thank you for your comments. Your question: "It's not entirely clear from this example, but am I correct in assuming that $thestyle is the same as $_COOKIE['thestyle'] in this case? In other words, are you relying on register_globals or assigning the value yourself?" The example is here: http://www.sperling.com/examples/styleswitch/ The complete php code (i.e., switch.php) is: And the value is assigned by the user via a click: Green or href="switch.php?set=style1">Red And, the style sheet is determined by: As such, I am expecting the user to provide the value of 'thestyle' via his choice. However, let's say a malicious user would try to do something -- what could he actually do? Please explain Thanks again. tedd -- http://sperling.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] setcookie security concerns
tedd wrote: It's not entirely clear from this example, but am I correct in assuming that $thestyle is the same as $_COOKIE['thestyle'] in this case? In other words, are you relying on register_globals or assigning the value yourself? If this is the value directly from the cookie, it's an example of a cross-site scripting (XSS) vulnerability. header("Location: $HTTP_REFERER"); This is an HTTP response splitting vulnerability, because the Referer header (like the Cookie header) is provided by the client. Future versions of PHP will not allow more than one header per header() call, but this has been possible until now. 1. Is he right? Yes, it seems so. 2. How does that work? The Cookie header is part of an HTTP request. This is sent by the client, and although the standard mechanism involves the client returning exactly what you requested (e.g., the value matches that of a previous Set-Cookie header), there's no guarantee that a malicious user would be as polite. 3. If so, what do I do to correct this? Don't trust any input without inspecting it first. In your case, this is particularly easy, because you can just make sure that the value is one of the few valid values. Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] setcookie security concerns
Which "someone" could do this, is another question I have. The user? He's do something to his own computer, no? Gerry On 3/14/06, tedd <[EMAIL PROTECTED]> wrote: > > Hi: > > I've been using a php style switcher allowing users to change css. > The code follows: > > Within the head tags. > > > > Within the body tags, allowing the user to select which style they want: > > Green or href="switch.php?set=style1">Red > > And, the corresponding (switch.php) php code is: > > setcookie ('thestyle', $set, time()+31536000, '/', '', 0); > header("Location: $HTTP_REFERER"); > ?> > > It's pretty simple. But recently, I had one person hammer me stating > it was a security problem because I didn't validate the user input. > As such, he says that someone could inject an arbitrary code and > cause problems. > > 1. Is he right? > > 2. How does that work? > > 3. If so, what do I do to correct this? > > Many thanks for any replies. > > tedd > -- > > > http://sperling.com > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Gerry http://portal.danen.org/