PHPDeveloper: PHP News, Views and Community

Subscribe

@phpdeveloper.org

News Archive

Community News: Latest PECL Releases (06.17.2025)

Community News: Latest PECL Releases (06.10.2025)

Community News: Latest PECL Releases (06.03.2025)

Community News: Latest PECL Releases (05.27.2025)

Community News: Latest PEAR Releases (05.26.2025)

Community News: Latest PECL Releases (05.20.2025)

Community News: Latest PECL Releases (05.13.2025)

Community News: Latest PECL Releases (05.06.2025)

Community News: Latest PECL Releases (04.29.2025)

Community News: Latest PECL Releases (04.22.2025)

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Chris Shiflett's Blog:
Myspace CSRF and XSS Hack

byChris Cornutt Oct 14, 2005 @ 10:30:59

While not directly PHP-related (it could happen to any web language), this new post from Chris Shiflett today displays a major, recent example of how Cross-Site Request Forgeries can be a huge problem for you and your site.

In the comments to my article on CSRF, someone questioned whether CSRF is really anything worth worrying about. Rather than give a hypothetical example, I can point to a real one that is getting some attention today:

Myspace Hack Overview Myspace Hack Technical Details

This attack seems pretty harmless (I'd rather not discuss ethical concerns), but it demonstrates something very powerful - a combination of XSS and CSRF.

As if one of them wasn't bad enough, you especially need to watch for XSS attacks - they can be a precursor (and even help out) to a CSRF attack. Be sure to check out Chris' articles on CSRFs and foiling them for more information...

UPDATE: Ilia also has this post on his blog concerning the issues surrounding this worm as well.

tagged:

Link: