On Wed, Mar 11, 2009 at 13:44, Jochem Maas <jochem@xxxxxxxxxxxxx> wrote:
> filtered schreef:
>> Hi,
>>
>> we have script containing
>>
>> <? echo $_GET['studio'] ?>
>
> let say I do:
>
> example.com/yourscript.php?studio=<script type="text/javascript">alert('I am an evil haxor');</script>
>
> excusing the fact that the query is not urlencoded, what happens on your site
> (replace domain and script name to match your site/script)
>
Ok, but I don't see how this code could be used to attack the local
php/web-server in order
for intruding the system or e.g. for installing a root-kit. Right?
Andreas
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
