News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Stefan Esser's Blog:
PHP 5.3 and Delayed Cross Site Request Forgeries/Hijacking
October 01, 2008 @ 07:53:22

In this new post to his blog Stefan Esser looks at cross-site request forgeries and how they can be prevented in PHP 5.3 by two things - the request_order directive in your php.ini and by not using $_REQUEST anymore.

Although PHP 5.3 is still in alpha stage and certain features like the PHAR extension or the whole namespace support are still topics of endless discussions it already contains smaller changes that could improve the security of PHP applications a lot. [...] With request_order it is now possible to control in what order $_REQUEST is created and what variable sources are taken into account. This finally allows removing cookie data from $_REQUEST without removing them from $_COOKIE also.

He explains why the use of $_REQUEST can lead to such problems (and security holes) and notes that its use makes overriding an application's GET or POST values as simple as adding a cookie. There's even a method for creating a Denial of Service attack against a site using $_REQUEST like this. He points to an example similar to this that happened with phpMyAdmin a while back.

His recommendation?

Once PHP 5.3 is out it is recommended for hosters to set request_order to "GP" on all the servers running arbitrary PHP applications to protect applications [and] application developers on the other hand should finally move away from using $_REQUEST for user input.
0 comments voice your opinion now!
php5 crosssiterequest forgery hijack request get requestorder


blog comments powered by Disqus

Similar Posts

Lorna Mitchell's Blog: PHP OAuth Provider: Request Tokens

ThinkPHP Blog: Webapplikationen mit PHP5 und IBM DB2

Rob Thompson's Blog: PHP and Solaris - getcwd() Behavior

Debuggable Blog: How To Save Half A Second On Every CakePHP Request

Big Nerd Ranch Blog: XML in PHP 5


Community Events





Don't see your event here?
Let us know!


refactor developer podcast install laravel list community language code interview opinion threedevsandamaybe framework testing introduction series wordpress unittest release experience

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework