// SECURITY PROBLEMS, we need cookies in FileReference.upload();
cookies work fine when using URLRequest but not when using upload() ??!! In the mean time, I thought of something... Not perfect but at least stops the casual hacker (as is currently the vulnerability)
When we start the upload, we do two things. First, make a URLRequest to a php page that cross checks the session data, if it checks out, store their IP address in a database table
In the actual upload.php file, simply open the database, compare the IP address inbound to the one validated by the cookies. If these match, we have a pretty strong case for letting them write to the server. You could take it a little further and add store a timestamp or epoch, then compare that to an acceptable time window to complete an upload, but you might cut of some 56k modems...
No comments:
Post a Comment