RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?

["Vail, Warren" <Warren.Vail () schwab com>]

Perhaps the question could be asked another way and be more on topic.

Is there a fix in I.E. 6.01 that would interfere with PHP being able to
generate different mime types on the fly, like .png or .jpg????

Thanks,

Warren Vail


-----Original Message-----
From: Jay Blanchard [mailto:jay.blanchard () niicommunications com] 
Sent: Monday, August 16, 2004 10:57 AM
To: Saqib.N.Ali () seagate com; php-general () lists php net;
webappsec () securityfocus com
Subject: RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?


[snip]
I am working on securing an application that uses CDSSO (Cross Domain 
Single Sign On). 

I am trying to reproduce the CSRF (Cross Site Request Forgery) attack 
(using <img/> TAG) in I.E. 6.01,  but am unable to do so. However the 
attack works on Mozilla and other older browsers.

My question: Is I.E. 6.01 SP1 doing something to foil the CSRF attack, 
i.e. only allow image extensions .gif .png .jpeg?????
[/snip]

You would have to ask the Microsoft Development Group, who probably does not
subscribe to this list. Crossposting is bad. Being OT during a crosspost is
even worse. I can hear the falmethrowers warming up in the wings.

FYI -> This is (or use to be) a PHP list

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php