• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
security problem with GET

#1
My website allows user accounts, and users can upload and delete images. For deleting an image this js is called:

Code:
xmlhttp = new XMLHttpRequest();
xmlhttp.open("GET", "<?php echo base_url(); ?>index.php/controller/method?id=" + id, true);
xmlhttp.send();

The problem is, I can manually load

domain.com/index.php/controller/method?id=xx

and I could delete another user's image.

What is the correct way of fixing this issue?
Reply

#2
You can change it to a POST request (which will still have security issues).

You need to do verification inside of the delete method to verify that

a) they have permission to delete images, and
b) they "own" that image, or belong to a role that has permission to do it.

That way people can't randomly delete stranger's photos.
Support Development  • Practical CodeIgniter 3  •
Myth:AuthVulcan - CLI Tools for CI4
Reply

#3
Make sure the image belong to current user else return false. 'Images' mean user can upload many images? And do you store image info's into specific table? Add user_id field into table that store image info to indicate that this image belong to specific user.
Keep calm.
Reply

#4
Thanks for the answers! Since the POST wouldn't solve the security issue I didn't change the GET, but added user validation in the delete method.
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.