|
|
Posted by Chuck Anderson on 02/28/06 05:55
Jim Carlock wrote:
>"Chuck Anderson" <websiteaddress@seemy.sig> wrote:
>
>
>>I'm just trying to follow this discussion, so I tried the examples to
>>see what happens
>>
>>When I re-create the example at:
>>http://blog.phpdoc.info/archives/13-XSS-Woes.html
>>
>>
>
>Hi, Chuck,
>
>I provided the link as an explanation of the problem rather than
>trying those items out. I did notice that the same typed uri that Colin
>McKinnon suggested to test things was found on that page.
>
>Colin McKinnon's sample works for me.
>
>(1) Page named test.php containing:
>
><?php phpinfo(); ?>
>
>(2) Then type into the address-bar:
>
>http://localhost/test.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E%3Cblahblah
>
>That specific example requires a browser with JavaScript enabled.
>
>
When I do that locally, I see nothing odd about phpinfo (the extra data
string is part of server data, but I would expect that).
WindowsXP Pro
Apache 2.0
Php 4.4.1
No JavaScript is executed.
When I do the same on my remote server, I get a 403 error. Added extra
data =
/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E%3Cblahblah
That's on Linux - Php 4.4.1 and Apache 1.3.34.
>(1) I tested the following code with Internet Explorer, saved as file
>named test.php.
>
><html>
><head>
><title>Testing Server Variables</title>
></head>
><body><p><a href="#<?php echo($_SERVER['SERVER_NAME']); ?>">Hold your mouse over this link</a></p>
><p><?php echo($_SERVER['PHP_SELF']); ?></p></body></html>
>
>(2) Then typed the following into the address bar of Internet Explorer:
>
>http://localhost/test.php/%22%3E%3Cimg%20src=http://www.perl.com/images/75-logo.jpg%3E%3Cblah
>
>It presented the following HTML encoding, properly rendering the
>displayal of the picture:
>
><html>
><head>
><title>Testing Server Variables</title>
></head>
><body><p><a href="#127.0.0.1">Hold your mouse over this link</a></p>
><p>/test.php/\"><img src=http://www.perl.com/images/75-logo.jpg><blah></p></body></html>
>
>When moving the mouse over the the line that says,
>
> "Hold your mouse over this link".
>
>Take notice of what the browser puts in your statusbar while hovering
>over the link.
>
>
Okay, now this I see (the image).
But if I use Colin's extra data -
/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E%3Cblahblah
- the javaScript is not executed - not in Firefox or IE.
>I tested the problems on two different servers,
>
>(1) is a server running PHP on Apache on Windows XP Pro.
>(2) I see the problem on the Unix server running Apache and
>PHP.
>
>Both servers are running older versions of Apache (1.3) and
>PHP (4.4.1). So perhaps it only applies to older versions of
>PHP?
>
>Just curious, which versions of PHP are you testing this on?
>
>
See above.
--
*****************************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
Integrity is obvious.
The lack of it is common.
*****************************
Navigation:
[Reply to this message]
|