On 5/17/07, Cliff Hirsch <[EMAIL PROTECTED]> wrote:
I just discovered a hole in a white list validation technique I bored from
a PHP security book — no, not Chris' book.
Beware in_array($_POST/GET['input'], $whitelist)
Type matters. All input is string type and PHP will try to force type
matching.
So the input string 'securityhole' will match the int number 0.
Hmmm, but it might as well be our book, because I don't immediately
see the problem...
$whitelist = array( 'foo', 'bar', 'baz' );
if ( !in_array( $_POST['input'], $whitelist ) ) {
exit( "Denied, you cad!" );
}
What is the condition under which that is exploited?
--
Chris Snyder
http://chxo.com/
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
