Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?

from [Michael Silk] Network Security [Permanent Link]
Subject: RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Date: Wed, 18 Aug 2004 08:38:23 +1000 
IE might decide, based on mime type, whether or not the linked image is
really an 'image' (I Hope it wouldn't only check the extension). But of
course, even checking the mime-type won't help at all if the you have
control over the server as you can link to x.jpg, perform the logout, or
login, or whatever, and then write out a bytes for a jpeg.

I'm not sure what point the random number would have ...

-----Original Message-----
From: Ed Lazor [mailto:Ed.Lazor@d20News.com] 
Sent: Tuesday, 17 August 2004 5:01 AM
To: Saqib.N.Ali@seagate.com; shiflett@php.net
Cc: php-general@lists.php.net; webappsec@securityfocus.com
Subject: RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?

What if you add a random seed to the URL?

<img src="http://slashdot.org/my/logout?fluff=<?php echo rand(1,200);?>"
height="1" width="1">




-----Original Message-----
Hello Chris,

I can't share the exact code ;) , but here is something very similar:

<img src="http://slashdot.org/my/logout"; height="1" width="1">

If I load a web page with the above code, it should log me out of 
slashdot. It works in Mozilla (and netscape), but not in I.E. 6.01 SP1






This email message and accompanying data may contain information that is 
confidential and/or subject to legal privilege. If you are not the intended 
recipient, you are notified that any use, dissemination, distribution or 
copying of this message or data is prohibited. If you have received this email 
message in error, please notify us immediately and erase all copies of this 
message and attachments.

This email is for your convenience only, you should not rely on any information 
contained herein for contractual or legal purposes. You should only rely on 
information and/or instructions in writing and on company letterhead signed by 
authorised persons.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Interesting article on how development and web centric architecture change peoples views of security, Mark Curphey
Next by Date:  Re: Securing through the IIS web server domain logon, Matt Fisher
Previous by Thread:  RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?, Ed Lazor
Next by Thread:  RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? WOT, Jay Blanchard
Indexes:  [Date] [Thread] [Top] [All Lists]