Chris Shiflett wrote:
hmmm....--- Sean Burlington <[EMAIL PROTECTED]> wrote:I'm not sure what harm could be done by this though. if a broswer attempts to load an image reference by an <img tag - but finds an unsuitable type of data - I would expect it simply to ignore it...I sent a response about this earlier, but you should research CSRF and XSS. It does not matter that the browser shows a broken image if it has already sent the HTTP request. There is no special HTTP request for checking whether the Content-Type is really an image without the receiving Web server taking any action. A GET is a GET.
but what does this have to do with the site allowing users to include links to images
this is a security problem for the site that allows you to place purchase orders with a single click.
what difference does it make that img links are placed by users ?
I could just as easily trick users into making GET requests by puting dodgy img links in a pgae that I control ...
I only initiate a small proportion of the requests my browser makes - in fact I go to some trouble to stop some of the requests happening as I don't like to see so many ads - I filter outgoing requests via squid.
There are problems in the way the internet is designed and in misconcepotions as to how it works - but if we all code for absolute security we end up disconnecting from the web entirely.
--
Sean
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
