HomepageVulnerable Codebright-shadows.net Click me :)| Author | Post | |||
noother   |
Oops [image]http://www.bright-shadows.net/logout.php[/image] Edit: yeah, it is annoying |
|||
Edited by noother on 21.01.2008 13:38:58 | ||||
 21.01.2008 12:52:54 |
|
|||
quangntenemy             |
Yeah that's an old CSRF bug that hasn't been fixed.  http://www.bright-shadows.net/forum/forum_showtopic.php?topicid=2329 |
|||
Edited by quangntenemy on 21.01.2008 13:05:20 | ||||
 21.01.2008 13:04:40 |
|
|||
|
noother |
Then let's try to fix it. The most simple way would be a little form at the logout.php which asks "Do you really want to logout?" or something with a POST-Button i guess. |
|||
|
21.01.2008 13:28:35 |
|
|||
|
quangntenemy |
Yeah but the admins are quite busy/lazy for now  PS. did u get urself logged out too? |
|||
|
21.01.2008 13:38:22 |
|
|||
|
noother |
Well, i turned off loading images to bypass it. But that screws the layout up, so i just edited it  |
|||
|
21.01.2008 13:42:58 |
|
|||
|
noother |
ok, i played around with this a while and noticed the fact that a POST-Form is worthless. You can't just do an <img src= for this. You have to make the user click on a link to visit your prepared page. Example:  Quote:<form id="test" method="POST" action="http://www.bright-shadows.net/logout.php"> <input type="hidden" name="submit" value="ya, log me out"> </form> <body onload="test.submit()"></body> assuming the logout.php checks for $_POST['submit'] == "ya, log me out" With this you could of course do other funny things, like giving admin-rights to yourself, adding news etc. All you need is an admin clicking your link. I don't think everyone here is surfing with javascript turned off and checks the source of every page before visiting  A secure way would be to add an <input type="hidden" or a &secret= in the url with random data, stored in a $_SESSION which is checked before logging out or other things. (And make sure the page doesn't allow XSS.) |
|||
Edited by noother on 21.01.2008 16:03:03 | ||||
|
21.01.2008 15:55:34 |
|
|||
| unknown user |
this is pretty old news, |
|||
| 21.01.2008 18:56:04 |
|
|||
|
noother |
Oh well, maybe you overlooked the "With this you could of course do other funny things, like giving admin-rights to yourself, adding news etc."-line. The logout-thing is just a very simplified example. The same way you can post forum-posts with the corresponding nick automatically for example, open topics, or if an admin clicks the link: delete topics. Or if an admin is logged into the adminzone/ (htaccess) do nasty things. (assumed you know the field-names for the different actions.) |
|||
|
21.01.2008 19:18:48 |
|
|||
| unknown user |
I didn't miss anything, It's just old news. |
|||
| 21.01.2008 21:46:12 |
|
|||
|
quangntenemy |
So there's no other way than using random/secret code? Imagine we have to secure 100 pages like that... It'll be a tedious and error-prone job. I wonder what the www's evolving into... |
|||
|
22.01.2008 01:37:00 |
|
|||
private message
EMail
Website