Shawn McKenzie wrote:
> Jochem Maas wrote:
>> Martin Zvarík schreef:
>>> What's the point?
>>>
>>> If user puts in a search input something like <script>alert('I am super
>>> hacker');</script>
>>>
>>> And the website outputs:
>>> You are searching for: <script>....</script>
>>>
>>> then what? it shows an alert(), who cares?
>> replace the alert() with some code that passes the cookie to a hacker controlled
>> domain. now create a URL that includes the given javascript:
>>
>> echo 'http://mzvarik.com/foo?somevar='.urlencode('<script type="text/javascript">/*evil code here*/</script>');
>>
>> send url to unsuspecting users of your site. anyone know clicks the URL
>> has just had their cookies hijacked.
>>
>> still don't mind?
>>
>>> I, as an owner of this website, don't mind AT ALL.
>>>
>>> Aha, forget to mention the XSS on MySQL or inside comments right? Isn't
>>> mysql_real_escape_string(), strip_tags() enough?
>>>
>>> Martin
>>>
>
> A little off topic, but I was testing some exploits like this on my dev
> box and no matter what I did all quotes in the URL were escaped with \
> even if I urlencoded the quotes (single or double). I have
> magic_quotes_gpc = on but I wouldn't think this would escape urlencoded
> quotes. Is it the suhosin patch maybe or something elese?
>
Answered my own question by turning off magic_quotes_gpc. Now it works.
--
Thanks!
-Shawn
http://www.spidean.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
