A student run server on my old campus used to turn off PHP for
security reasons - ridiculous.
Would it be possible to use XSS to call curl from a remote site? I'm
just a beginner so that may or not make sense.
Indeed it does seem like JS is the solution - unfortunately - as it
seems like their 'trap' catches any string including CURL U before I
can str_replace the string after gathering the input with _POST.
Anyone disagree?
best,
Charles
On Oct 10, 2005, at 3:12 PM, Rory Browne wrote:
I'm not completely sure, but I think they're talking shite. If curl is
a security problem, then disable curl. They seem from what you've
said, to be pretty irrational. I respect security paranoia, but this
is ridicules.
You could try replacing every letter in the word curl with it's &#xxx;
equivlent, but that might not work. You would also have to do it in
JS, although I think that any browser with the exception on lynx has
JS capabilities.
On 10/10/05, Charles Stuart <lists@xxxxxxxxx> wrote:
Hi,
I'm on shared hosting. Because of security concerns on their part
[1], every time the text "curl u" is inputted, a 403 forbidden is
given and the form is not submitted. This is of course a problem as
I'm doing work for a children's literacy program, and plenty of
people try to input "curl up with a book".
I'm trying to use 'str_replace' to solve this issue, but I can't seem
to get around the 403 error.
It appears as if the hosting service doesn't give me a chance to
replace "curl u" with something else prior to them blocking the
attempted submit.
I can tell my str_replace is working as if I change the searched text
to something other than "curl u" it does in fact replace it and
submit it correctly.
Anyone have any ideas for a workaround? My next thought is to use
javascript, but I think the site serves quite a few people who might
not have javascript on.
Thanks for listening. Below is the PHP [2].
best,
Charles
[2]
// Grabbing the data from the form.
if ($task == "updateInfo")
{
$activityChallenges = cs_remove_curl_up(sanitize_paranoid_string
($_POST["activityChallenges"]));
}
// change "curl u" to "EDIT kurl u"
function cs_remove_curl_up($string, $min='', $max='')
{
$string = str_replace("curl u", "EDIT kurl u", $string);
$len = strlen($string);
if((($min != '') && ($len < $min)) || (($max != '') && ($len >
$max)))
return FALSE;
return $string;
}
[1]
My host told me this:
"Mod_security is restricting this and blocks all url's with C-url.
This is done because of some php worms that are spread using c-url. I
would recommend trying to work around this. It will be a major
security issue for us to allow this."
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
