What if can't be trusted in a CSS file that PHP echos a cookie?

Forum Moderators: coopster

Message Too Old, No Replies

What if can't be trusted in a CSS file that PHP echos a cookie?

Can I echo CSS from a cookie and exit without any further code...?

JAB Creations

11:48 pm on May 9, 2008 (gmt 0)

What if any security vulnerabilities exist if I echo a cookie's string in a PHP created CSS file?

user_style.css.php

<?php
echo $_COOKIE['css_theme'];
exit();
?>

I am running only on PHP 5 servers and if I wanted to could not migrate to a PHP 4 server. With that in mind I attempted to emulate numerous attacks that were explained in various security tutorials. I was not able to successfully execute a single attack though I'm not a security guru. A couple of the things I attempted to do included executing any PHP code as well as spawn errors with odd characters/character combinations (while error reporting on the server is on by default).

Suggestions and thoughts?

- John

eelixduppy

1:30 am on May 10, 2008 (gmt 0)

You should be fine. The worst that could see happening is the cookie is spoofed and the CSS or HTML gets screwed up and something gets placed there that shouldn't be there for that particular client. If you want to be sure, depending on exactly what you are storing in the cookie's value, you can run some kind of check to make sure that it is valid input before echoing it to the browser.

JAB Creations

2:10 am on May 10, 2008 (gmt 0)

Currently I do a check when the form is posted. If at the very worst all they can do is screw up how the page looks then that makes me very happy...I just hope not ignorantly happy! :D Thank you!

- John