|
|
Posted by arccos on 08/04/06 13:21
Dylan Sung wrote:
> "FFMG" <spambucket@myoddweb.com> wrote in message
> news:1154529772.964149.179970@i3g2000cwc.googlegroups.com...
> > Dylan Sung wrote:
<snip>
> > > If they were trying to break into your site, you would have been left
> > > with
> > > much more mayhem.
> >
> > How so?
>
> I'm not very good on security, but from what I read, if you write scripts
> (or code/programs) that execute in your site, and it isn't well written with
> security in mind, it can be exploited to do bad things. I'm sure there are
> more folks here who knows the ins and outs of such matters.
>
> Cheers,
> Dyl.
To answer the security question, your site may be vulnerable to
cross-site scripting, which is more serious than a bit of spam. When
someone enters a comment with the < and > characters, do the characters
< and > show up on the page, or do the characters < and > show up in
the source code. If it's the 2nd, you are vulnerable.
Anyone entering a comment can use the HTML tags < and >, which means
they can use cross-site scripting attacks. That in turn means they can
run their code from your webpage. See here:
http://en.wikipedia.org/wiki/Cross-site_scripting
You would have the most serious vulnerability, what they list here as
type-2. The easiest way to fix this is to modify your code to either
strip out < and >, or to HTML encode it (change < to < and > to
>) in all comments as they are submitted.
Without a URL, I can't say for sure if you do have the vulnerability.
Good luck!
Navigation:
[Reply to this message]
|