XSS or Cross Site Scripting is the ability to inject malicious javascript or HTML to the $_POST or $_GET variables, and at the bottom line - to get them printed and output-ed to the client through the HTML code of the page. In order to avoid such security issues all you have to do is to sanitise the $_GET and $_POST input before output-ing them to the browser. Check out htmlentities() and similar stuff. On Tue, Jun 9, 2009 at 8:47 PM, Skip Evans<skip@xxxxxxxxxxxxxxxxx> wrote: > Well, the function filter_input(INPUT_GET, 'kw', FILTER_SANITIZE_ENCODED); > > ...seemed to take care of the example on the report by Security Metrics. > > Am I on the right track here, at least? > > I'm reading pages on 'sanitizing PHP input'. Is that where I should be > headed? > > Skip > > Shawn McKenzie wrote: >> >> Skip Evans wrote: >>> >>> Hey all, >>> >>> You may have seen my earlier message about a current client whose site >>> I've taken over maintenance on that is trying to get PCI Compliance from >>> Security Metrics. I've put all the forms behind https and a couple of >>> other things, but this one I don't know how to solve. I'll read up on >>> cross site scripting, but could someone help me understand what they >>> believe the vulnerability is in their notes below? >>> >>> Thanks, >>> Skip >>> >>> Possible cross site scripting on http://www.ranghart.com/index.php >>> >>> Use the following commands to verify this: wp --inject >>> >>> >>> "http://www.ranghart.com/index.php?action=searchkw=SEARCH%22%3E%3Cscript%3Ealert%28123%29%3C% >>> >>> TCP http/https 4 >>> curl -L >>> >>> >>> "http://www.ranghart.com/index.php?action=searchkw=SEARCH%22%3E%3Cscript%3Ealert%28123%29%3C% >>> >>> grep "123" This website may have other injection >>> related vulnerabilities. >>> >> >> Well, their example is not correct, try: >> >> http://www.ranghart.com/index.php?action=search&kw=SEARCH%3Cscript%3Ealert%28"Im >> doing some nasty JavaScipt hacking here!"%29%3B%3C%2Fscript%3E in a >> browser. >> >> This means that you're not validating/sanitizing input. You can't just >> take the contents of a $_GET, $_POST, etc. (any user input) variable and >> echo it out. >> > > -- > ==================================== > Skip Evans > Big Sky Penguin, LLC > 503 S Baldwin St, #1 > Madison WI 53703 > 608.250.2720 > http://bigskypenguin.com > ------------------------------------ > Those of you who believe in > telekinesis, raise my hand. > -- Kurt Vonnegut > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
