Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:58163
Return-Path: <tyra3l@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 11221 invoked from network); 27 Feb 2012 17:34:03 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 27 Feb 2012 17:34:03 -0000
Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.49 as permitted sender)
X-PHP-List-Original-Sender: tyra3l@gmail.com
X-Host-Fingerprint: 209.85.216.49 mail-qw0-f49.google.com  
Received: from [209.85.216.49] ([209.85.216.49:36647] helo=mail-qw0-f49.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 2D/D0-40985-A8EBB4F4 for <internals@lists.php.net>; Mon, 27 Feb 2012 12:34:03 -0500
Received: by qafi29 with SMTP id i29so370248qaf.8
        for <internals@lists.php.net>; Mon, 27 Feb 2012 09:34:00 -0800 (PST)
Received-SPF: pass (google.com: domain of tyra3l@gmail.com designates 10.229.114.203 as permitted sender) client-ip=10.229.114.203;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of tyra3l@gmail.com designates 10.229.114.203 as permitted sender) smtp.mail=tyra3l@gmail.com; dkim=pass header.i=tyra3l@gmail.com
Received: from mr.google.com ([10.229.114.203])
        by 10.229.114.203 with SMTP id f11mr7434250qcq.90.1330364040362 (num_hops = 1);
        Mon, 27 Feb 2012 09:34:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=WyDXnDnXMWLbeyd3iDLPK6Zp10EB+WS7H+bruVrila0=;
        b=Fh4KZx5sGjA8Gjm5/KyVEr1h/UF/wfymBEGcMVbf/abWcTFpgOKKV0ffRMiK0nsWpO
         avlmNsoYqZ3tNoa732XkWjbgpej5HKvuqNODhKdbvDj6HGLzev3o1fA0FpyE62S7ROtX
         3eCizPh2+QPIbx2Cy4r7ti44dm52KsyjYz76A=
MIME-Version: 1.0
Received: by 10.229.114.203 with SMTP id f11mr6119491qcq.90.1330364040197;
 Mon, 27 Feb 2012 09:34:00 -0800 (PST)
Received: by 10.229.30.205 with HTTP; Mon, 27 Feb 2012 09:34:00 -0800 (PST)
In-Reply-To: <6138b74f9168e00c127570bc24e086ed.squirrel@www.l-i-e.com>
References: <CAGovj_PbjoB78kXvZcaSkx3qQziMXX7ezVmzYSPHQbJL7uu7VA@mail.gmail.com>
	<8D8E9A0839FE464FBBDF2B499DAFA596@gmail.com>
	<CAGovj_OA29qv0MvpFwaT6EF4h_+CYuirNY8nLBaqGurkdO3Afw@mail.gmail.com>
	<88ad33db205558862288b3114ef4c391.squirrel@www.l-i-e.com>
	<4F480C5B.30606@garfieldtech.com>
	<96462fbc4e243e75b11b455624ac4140.squirrel@www.l-i-e.com>
	<4F4811E6.4050201@garfieldtech.com>
	<CAFWS2+GEX-6yvbMmKi0ffco8LYc9fx94gdC0-18DLo2SxvcuNA@mail.gmail.com>
	<6138b74f9168e00c127570bc24e086ed.squirrel@www.l-i-e.com>
Date: Mon, 27 Feb 2012 18:34:00 +0100
Message-ID: <CAH-PCH4Z9qTFQFUCj8djReeVmsGkDb8LpBnVuoUMOUq=h8wWwA@mail.gmail.com>
To: Richard Lynch <ceo@l-i-e.com>
Cc: internals@lists.php.net
Content-Type: multipart/alternative; boundary=00235429db9009b6e604b9f584b4
Subject: Re: [PHP-DEV] $_PARAMETERS Super Global Object
From: tyra3l@gmail.com (Ferenc Kovacs)

--00235429db9009b6e604b9f584b4
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Mon, Feb 27, 2012 at 6:17 PM, Richard Lynch <ceo@l-i-e.com> wrote:

> On Fri, February 24, 2012 4:48 pm, Ronald Chmara wrote:
> > On Fri, Feb 24, 2012 at 2:40 PM, Larry Garfield
> > <larry@garfieldtech.com> wrote:
> >>> To me, it's just a request for some content, and in a REST API
> >>> that's
> >>> read-only, I just don't care if the consumer sends their request as
> >>> GET or POST.  I'll cheerfully give them what they wanted.
> >> Except that per HTTP, GET and POST are completely different
> >> operations.  One
> >> is idempotent and cacheable, the other is not idempotent and not
> >> cacheable.
> >>  I very much care which someone is using.
> >
> > People exploiting security would *never* think of
> > caching/replaying/modifying  a POST request, that's just totally
> > unimaginable! It would take, like HUGE computational effort to like,
> > cURL it or just type it out!
>
> You missed the totally newbie way, or at least a way to demonstrate
> the issue to somebody who simply doesn't understand the issue:
>   Save the HTML form to your hard drive.
>   Edit it in Notepad (et al) to make up whatever value=3D"xyz" you want.
>   Open it in your browser using "Open File..." and pick the file.
>   Submit the FORM.
>
> I had to do this several times for non-technical bosses or students
> who simply refused to believe that it was TRIVIAL to forge POST
> requests...
>
> Once they saw it in action, the light bulb goes "on" and you can say:
> I can also script this to repeat the same thing a million times with
> form-letter substitution, and then they understand it *is* trivial.
>
> Maybe I just had dense bosses/students, or I was bad at explaining the
> idea, but it worked for me...
>
>
changing the method in curl is even easier.

you both missed the fact that Larry is aware of the fact that POST
is forge-able.

there are cases when you can improve your security model (even by a little
bit) if you don't allow the method to be interchangeable.

for example: if I have an XSS vulnerability on bugs.php.net, it is much
easier for me to trick the devs clicking on the link if the said vuln is
exploitable through GET.
if it can only be exploited through POST, I have to set up a page somewhere
with a POST form, pointing to the vulnerable url, and ask the said devs to
visit that url and submit the form (or have javascript enabled, so that I
can submit if for them).
exploiting the reflected vulnerabilities is much easier if you can do it
through GET.

ps: if you don't know what did Larry mean by the Idempotent method, see
http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1

--=20
Ferenc Kov=C3=A1cs
@Tyr43l - http://tyrael.hu

--00235429db9009b6e604b9f584b4--