August 2nd, 2002, 06:03 AM
Where has all the security gone?
I looked at the main page and saw that nothing was really about security, at least not much, so I decided to post something.
I recently heard about the php post exploit, and I gotta tell you, it really confuses me, I always use the post method because that way when I have somebody fill out a form it doesn't put all their answers in the address bar. So what I don't understand is how people can exploit the post method, because post doesn't put anything in front of the user to manipulate, I know how get requests can be changed to do some odd things, since get requests put all the input in the address bar, but I really don't understand how this post exploit works. I don't want to know how to exploit pages, but basically, could somebody go around and screw with my server because I use post?? Thanks. By the way, I would say I'm an intermediate user of php, so plz don't post something over my head.
Sorry about the misleading title
August 2nd, 2002, 06:47 AM
The PHP exploit and there have been a few effect Apachie web serving software and they have issued patches. Do a googile search and you can find most if not all the info you want. Unless you run Apachie then the PHP issue may not be of concern. You kno your server software just keep up on patches, apply them then read how the exploit works.
I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg
August 2nd, 2002, 07:05 AM
the fundamental difference between the two methods is illustrated below.
a get request might look similar to this:
the same request as url-form encoded post response might appear as:
post data could also be sent in a multipart mime type as well.
basically, no matter what http method or enctype is used - the data is being sent, read and interpretted - leaving room for vulnerabilities. one thing to note is that standard web service architectures store the query string from a get request as an environment variable and leave the post data retrieval up to the specified handler (ie. php).
as far as accessing post variables from the form to create chaos - a number of methods can be used. the most common is telnet - ie. simulating a http session. another might be an inline request editor like webproxy from @stake. and yet another option would be to use the provided form or a modified local copy of it. the only real security that a 'post' offers over a 'get' is for an over-the-shoulder attack. it has no bearing on server outside of any specific flaws in the implementation of how that data is read and interpretted such as the one in your topic.