FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Magic quotes? Should I still be cautious?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Magic quotes? Should I still be cautious? [message #176453 is a reply to message #176437] Sat, 07 January 2012 16:59 Go to previous messageGo to previous message
Thomas Mlynarczyk is currently offline  Thomas Mlynarczyk
Messages: 131
Registered: September 2010
Karma:
Senior Member
Jerry Stuckle schrieb:

> I didn't say you didn't need to validate the parameter. But limiting
> values to the proper operation makes it harder for hackers to break in.

Harder? Well, by a microscopically tiny amount, yes. The Web Developer's
Toolbar on Firefox has a menu allowing me to change POSTs to GETs and
vice versa. And I'm sure with Google you can find in 5 minutes a tool
that lets you choose between GET, POST and COOKIE and has many other
"hacking features". So, for all practical purposes, I do not consider
this to make it any harder for hackers.

> It DOES matter where it came from - and data coming in from the wrong
> variable can get their IP blocked from the site. There is no use making
> it easy for them.

Yes, but I still feel that this "where-did-it-come-from" check in
addition to the proper validation you have to do anyway is like putting
a banana peel on the floor so in case the enemy manages to force the
iron gate guarded by a three-headed dragon they will slip on it and
break their neck.

Let's consider an example: A site is available in several languages and
the user can choose a language by clicking on a link (which sends a GET
variable like "lang=de"). The selected language will be stored in a
cookie ("lang=de"), so next time the user visits the site their
preferred language will already be selected. Now on every request the
site checks if there is a "lang" variable (coming from any source) and
sets the proper language accordingly and if the language differs from
the previous one, the lang cookie will be set. A forced distinction
between GET and COOKIE doesn't seem very intelligent to me here. And
even if lang came via POST -- what would it matter?

But lets say we have something more serious, like "delete=all", supposed
to come via POST. Sure, if this came via COOKIE it would certainly be
wrong. If it came via GET, well, there might be a legitimate reason --
or not. But even if it comes via POST, I would not accept it unless I
have a valid session with a valid user logged in who has the privilege
to delete "all". A script kiddie might try to send "delete=all" via GET,
but my three-headed dragon at the iron gate should politely refuse that
request. And if the script kiddie is smart enough to hijack the session
of a sufficiently privileged user, they will surely not be stupid enough
to slip on the GET/POST banana peel.

> I have people trying to break into the sites I designed almost daily
> (multiple times daily if you also include SMTP and SSH attacks). None
> have succeeded.

Would they have succeeded had you allowed any of the three input
sources? Yes? Then your site is not safe, but it's certainly not due to
that. No? Well, see, I was right ;-)

Greetings,
Thomas

--
Ce n'est pas parce qu'ils sont nombreux à avoir tort qu'ils ont raison!
(Coluche)
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Lilupophilupop
Next Topic: [WSP] CALL FOR PAPERS [FREE]
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Nov 24 22:31:39 GMT 2024

Total time taken to generate the page: 0.04540 seconds