SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Zealot stuffedbuggy's Avatar
    Join Date
    Sep 2008
    Posts
    187
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question php variable in file_upload field

    deleted
    Last edited by stuffedbuggy; Dec 19, 2008 at 11:25.
    You know you cooler than me...

  2. #2
    SitePoint Addict wibble wobble's Avatar
    Join Date
    Dec 2008
    Posts
    242
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thats not allowed because it would let you upload any file from a users computer (by setting the default path and using javascript to submit straight away).
    Find freelance jobs from all the major sites in one place:
    on twitter / on the web / twitter rss feed

  3. #3
    SitePoint Addict wibble wobble's Avatar
    Join Date
    Dec 2008
    Posts
    242
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    On a security note, you seriously need to fix your own. I managed to redirect pages to a cookie jar where I could steal your users session IDs in under 5 mins :|
    Find freelance jobs from all the major sites in one place:
    on twitter / on the web / twitter rss feed

  4. #4
    SitePoint Addict wibble wobble's Avatar
    Join Date
    Dec 2008
    Posts
    242
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Security. Like I said in the last post.
    Find freelance jobs from all the major sites in one place:
    on twitter / on the web / twitter rss feed

  5. #5
    SitePoint Addict wibble wobble's Avatar
    Join Date
    Dec 2008
    Posts
    242
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by stuffedbuggy View Post
    i'm not understanding how the session ID's can be attacked, they're hidden in the php code
    No. The session ID is stored on the browser in a cookie. That ID is then used to access the session data on the server.

    I go onto your website, XSS, steal your users session IDs, and suddenly I am them. THAT is what you need to fix.
    Find freelance jobs from all the major sites in one place:
    on twitter / on the web / twitter rss feed

  6. #6
    SitePoint Addict wibble wobble's Avatar
    Join Date
    Dec 2008
    Posts
    242
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It's very simple, but you are running a shopping website where users could be entering sensitive data and you cant even be bothered to secure it? You deserve to be hacked or sued.

    I'm so sick of the threads in here tonight. Cya all tomorrow.
    Find freelance jobs from all the major sites in one place:
    on twitter / on the web / twitter rss feed


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •