xonium wrote:
A way to prevent them from working is to check the referer and require it to be the tomatocart site.
NO! Do not do this as the security check. A referring URL is easily spoofed.
How to Spoof a Referrer
Here is the proper way to do it:
Create a CSRF Token (Just the PHP one...not the Zend framework one)
Brief summary: When you load a page with a form that gets submitted to json.php you create a unique token - preferably something cryptographically secure and at least psuedo-random. Store this value in the session ($_SESSION['csrf'], perhaps?). On the form you add a hidden field and also put the token information. At this point they should match.
When you submit the form to json.php, json.php will check the $_SESSION['csrf'] value and compare it to the form value that is submitted along with the form. If they do not match, then something funky is going on here. If they match, proceed with the rest of the logic.
A very quick check of the source shows that there are at least 52 files that reference json.php in some way
| Code: |
grep -nri "json\.php" ./ | cut -f1 -d":" | sort | uniq
./admin/external/json/json.php
./admin/includes/classes/json.php
./admin/includes/filenames.php
./admin/includes/jsons/products.php
./admin/json.php
./admin/templates/default.php
./admin/tocdesktop.php
./ext/json/json.php
./ext/piwik/config/manifest.inc.php
./ext/piwik/core/DataTable/Renderer/Json.php
./ext/piwik/libs/open-flash-chart/php-ofc-library/JSON.php
./ext/piwik/libs/open-flash-chart/php-ofc-library/open-flash-chart.php
./ext/piwik/modules/DataTable/Renderer/Json.php
./includes/classes/json.php
./includes/javascript/ajax_shopping_cart.js
./includes/javascript/checkout.js
./includes/javascript/polls.js
./json.php
./templates/admin/external/json/json.php
./templates/admin/includes/classes/json.php
./templates/admin/includes/filenames.php
./templates/admin/includes/jsons/products.php
./templates/admin/json.php
./templates/admin/templates/default.php
./templates/admin/tocdesktop.php
./templates/ext/json/json.php
./templates/ext/piwik/config/manifest.inc.php
./templates/ext/piwik/core/DataTable/Renderer/Json.php
./templates/ext/piwik/libs/open-flash-chart/php-ofc-library/JSON.php
./templates/ext/piwik/libs/open-flash-chart/php-ofc-library/open-flash-chart.php
./templates/ext/piwik/modules/DataTable/Renderer/Json.php
./templates/glass_gray/content/checkout/checkout.php
./templates/glass_gray/javascript/auto_completer/auto_completer.js
./templates/glass_gray/javascript/popup_cart/popup_cart.js
./templates/includes/classes/json.php
./templates/includes/javascript/ajax_shopping_cart.js
./templates/includes/javascript/checkout.js
./templates/includes/javascript/polls.js
./templates/json.php
./templates/templates/glass_gray/content/checkout/checkout.php
./templates/templates/glass_gray/javascript/auto_completer/auto_completer.js
./templates/templates/glass_gray/javascript/popup_cart/popup_cart.js
./templates/tomatocart_furniture/content/checkout/checkout.php
./templates/tomatocart_furniture/javascript/auto_completer/auto_completer.js
./templates/tomatocart_furniture/javascript/page/pageTool.php
./templates/tomatocart_furniture/javascript/popup_cart/popup_cart.js
./templates/tomatocart_furniture/javascript/products/products_view.php
./templates/tomatocart_games/javascript/auto_completer/auto_completer.js
./templates/tomatocart_games/javascript/popup_cart/popup_cart.js
./templates/tomatocart_toy/content/checkout/checkout.php
./templates/tomatocart_toy/javascript/auto_completer/auto_completer.js
./templates/tomatocart_toy/javascript/popup_cart/popup_cart.js
|
Community
