[dev] Re: [cvs] commit: horde/services go.php

[Chuck Hagenbuch]

Quoting Jan Schneider <jan at horde.org>:

> Redirecting embedded images like
> <img src="admin/user.php?action=delete&user=all" />

Hmm. This means you can cause Horde, with no auth, to essentially do a remote
bandwidth-sucking attack. I think we should rethink this.

Could go.php simply refresh to itself until the SID is out of the URL? This
isn't even an issue for cookie-based sessions, right?

-chuck

--
"Regard my poor demoralized mule!" - Juan Valdez