Simetrical wrote:
On 8/24/06, Timwi timwi@gmx.net wrote:
I was trying to address the security issues that come from the user's ability to cause the server to perform any GET request to any server.
This is a problem why, provided the server is careful about what it does with the response?
It's not the response that's the problem, it's the GET request itself.
Suppose some stupid web programmer programmed a forum where you can delete posts with a GET request. If you can fire GET requests to any server from Wikimedia's servers, then the forum's servers will only log Wikimedia's IPs, and the mass-deletion forum vandal is now untraceable.
I'm sure there are even more significant cases that I haven't thought of.
Timwi