NYCPHP Meetup

NYPHP.org

[nycphp-talk] javascript calling php function

Susan Shemin susan_shemin at yahoo.com
Fri Feb 22 14:18:18 EST 2008


love your insight into this and the clear example you gave!  

I tried to get the header code to work, but it wouldn't execute the php code, so I went to my saved books on devx/Safari and got some code from the PHP Cookbook about using a form with hidden variables to send the user to the clicked link, and all works well now.  (and I'll add the acceptable urls code now)

example from PHP Cookbook, section 8.3.4:

<html>
  <body onload="document.getElementById('redirectForm').submit()">
    <form id='redirectForm' method='POST' action='/done.html'>
      <input type='hidden' name='status' value='complete'/>
      <input type='hidden' name='id' value='0u812'/>
      <input type='submit' value='Please Click Here To Continue'/>
    </form>
  </body>
</html>

and just changed the action to where the user is to go and commented out the submit input line so the button wouldn't show and put my php code after the body tag.

Susan


----- Original Message ----
From: Rolan Yang <rolan at omnistep.com>
To: NYPHP Talk <talk at lists.nyphp.org>
Sent: Friday, February 22, 2008 8:47:37 AM
Subject: Re: [nycphp-talk] javascript calling php function

csnyder wrote:
> Right, you can't trust the referer if you fear scripted attacks.
>
> John, is that what you were talking about, or was it something more
> abstract and seo-related?
>
> I was picturing people using the open redirect to take advantage of
> your page rank by causing your site to link to theirs.
>
>  

Your paranoia is well justified. Open redirects are exploited by 
unsavory people in a number of ways. I came across a phishing email 
recently posing as a fake "Paypal confirmation". In the page was a link 
which appeared to point at aol.com (some 1/2 internet savvy people 
glance at the url to see if it points to a "reputable" site before 
clicking away on it). The aol.com link led to a well constructed 
imitation of the Paypal login page which was intended to maliciously 
steal accounts. Here is an example of the link:

http://www.aol.com/redir.adp?_e_t=ap&_a_v=2.0&_a_i=100124311x1116601028x1077500809&_url=http://www.nyphp.org

If you want to peek at a copy of the original phishing mail, check out 
http://www.datawhorehouse.com/0day/paypalphish

The safer thing for Susan to do would probably be to put all the valid 
redirect URL's in an array like:

redir.php:

<?php
$validURLS=array('
    0=>'www.mysite.com',
    1=>'www.yahoo.com',
    2=>'www.nyphp.org',
    3=>'www.php.net'
);

// some code to store hit in db logs goes here

header('Location: http://'.intval($_GET['r']));
?>

~Rolan



~Rolan
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20080222/83621b4a/attachment.html>


More information about the talk mailing list