RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?

["Michael Silk" <michaels () phg com au>]

IE might decide, based on mime type, whether or not the linked image is
really an 'image' (I Hope it wouldn't only check the extension). But of
course, even checking the mime-type won't help at all if the you have
control over the server as you can link to x.jpg, perform the logout, or
login, or whatever, and then write out a bytes for a jpeg.

I'm not sure what point the random number would have ...

-----Original Message-----
From: Ed Lazor [mailto:Ed.Lazor () d20News com] 
Sent: Tuesday, 17 August 2004 5:01 AM
To: Saqib.N.Ali () seagate com; shiflett () php net
Cc: php-general () lists php net; webappsec () securityfocus com
Subject: RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?

What if you add a random seed to the URL?

<img src="http://slashdot.org/my/logout?fluff=<?php echo rand(1,200);?>"
height="1" width="1">



> -----Original Message-----
> Hello Chris,
>
> I can't share the exact code ;) , but here is something very similar:
>
> <img src="http://slashdot.org/my/logout"; height="1" width="1">
>
> If I load a web page with the above code, it should log me out of 
> slashdot. It works in Mozilla (and netscape), but not in I.E. 6.01 SP1





This email message and accompanying data may contain information that is confidential and/or subject to legal 
privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying 
of this message or data is prohibited. If you have received this email message in error, please notify us immediately 
and erase all copies of this message and attachments.

This email is for your convenience only, you should not rely on any information contained herein for contractual or 
legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by 
authorised persons.