|
|
Posted by Charles Stuart on 10/11/05 01:19
A student run server on my old campus used to turn off PHP for
security reasons - ridiculous.
Would it be possible to use XSS to call curl from a remote site? I'm
just a beginner so that may or not make sense.
Indeed it does seem like JS is the solution - unfortunately - as it
seems like their 'trap' catches any string including CURL U before I
can str_replace the string after gathering the input with _POST.
Anyone disagree?
best,
Charles
On Oct 10, 2005, at 3:12 PM, Rory Browne wrote:
> I'm not completely sure, but I think they're talking shite. If curl is
> a security problem, then disable curl. They seem from what you've
> said, to be pretty irrational. I respect security paranoia, but this
> is ridicules.
>
> You could try replacing every letter in the word curl with it's &#xxx;
> equivlent, but that might not work. You would also have to do it in
> JS, although I think that any browser with the exception on lynx has
> JS capabilities.
>
> On 10/10/05, Charles Stuart <lists@enure.net> wrote:
>
>> Hi,
>>
>> I'm on shared hosting. Because of security concerns on their part
>> [1], every time the text "curl u" is inputted, a 403 forbidden is
>> given and the form is not submitted. This is of course a problem as
>> I'm doing work for a children's literacy program, and plenty of
>> people try to input "curl up with a book".
>>
>> I'm trying to use 'str_replace' to solve this issue, but I can't seem
>> to get around the 403 error.
>>
>> It appears as if the hosting service doesn't give me a chance to
>> replace "curl u" with something else prior to them blocking the
>> attempted submit.
>>
>> I can tell my str_replace is working as if I change the searched text
>> to something other than "curl u" it does in fact replace it and
>> submit it correctly.
>>
>> Anyone have any ideas for a workaround? My next thought is to use
>> javascript, but I think the site serves quite a few people who might
>> not have javascript on.
>>
>> Thanks for listening. Below is the PHP [2].
>>
>>
>> best,
>>
>> Charles
>>
>>
>> [2]
>> // Grabbing the data from the form.
>>
>> if ($task == "updateInfo")
>> {
>> $activityChallenges = cs_remove_curl_up(sanitize_paranoid_string
>> ($_POST["activityChallenges"]));
>> }
>>
>>
>>
>> // change "curl u" to "EDIT kurl u"
>>
>> function cs_remove_curl_up($string, $min='', $max='')
>> {
>> $string = str_replace("curl u", "EDIT kurl u", $string);
>> $len = strlen($string);
>> if((($min != '') && ($len < $min)) || (($max != '') && ($len >
>> $max)))
>> return FALSE;
>> return $string;
>> }
>>
>>
>>
>> [1]
>> My host told me this:
>>
>> "Mod_security is restricting this and blocks all url's with C-url.
>> This is done because of some php worms that are spread using c-url. I
>> would recommend trying to work around this. It will be a major
>> security issue for us to allow this."
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>>
>
>
>
Navigation:
[Reply to this message]
|