Martin Zvarík schreef:
> Jochem Maas napsal(a):
>> Martin Zvarík schreef:
>>
>>> What's the point?
>>>
>>> If user puts in a search input something like <script>alert('I am super
>>> hacker');</script>
>>>
>>> And the website outputs:
>>> You are searching for: <script>....</script>
>>>
>>> then what? it shows an alert(), who cares?
>>>
>>
>> replace the alert() with some code that passes the cookie to a hacker
>> controlled
>> domain. now create a URL that includes the given javascript:
>>
>> echo 'http://mzvarik.com/foo?somevar='.urlencode('<script
>> type="text/javascript">/*evil code here*/</script>');
>>
>> send url to unsuspecting users of your site. anyone know clicks the URL
>> has just had their cookies hijacked.
>>
>> still don't mind?
>>
> AHA, I see.
> There's a PHP configuration that cookies are available on HTTP side
> only, that should provide the desired security in this case, right?
>
only if you assume there is no bug in the browser allowing the attacker to
circumvent that (the http cookie exists by definition on the client), and
only if you assume stealing cookies is the only malign action an attacker
might wish to take.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
