Reply to Re: [PHP] str_replace

Your name:

Reply:


Posted by Jochem Maas on 10/11/05 04:53

Charles Stuart wrote:
> A student run server on my old campus used to turn off PHP for security
> reasons - ridiculous.
>
> Would it be possible to use XSS to call curl from a remote site? I'm
> just a beginner so that may or not make sense.

I'm not really a beginner but I don't know if that makes sense either :-S
I'm pretty sure the answer is no.

>
> Indeed it does seem like JS is the solution - unfortunately - as it

workaround, not solution. a new host would be a solution,
one that means you don't have to waste time coding around completely
crazy setups.

> seems like their 'trap' catches any string including CURL U before I

seems like a total bogus filter. exactly what makes 'CURL U' so evil when
passed to a php/cgi script anyway?

> can str_replace the string after gathering the input with _POST. Anyone
> disagree?

well you could check out something like:

<?
$putdata = fopen( "php://input" , "rb" );
while(!feof( $putdata ))
echo fread($putdata, 4096 );
fclose($putdata);
?>

or

<?
echo file_get_contents('php://input');
?>

or

<?
echo $HTTP_RAW_POST_DATA;
?>


>
>
>
> best,
>
> Charles
>
>
>
> On Oct 10, 2005, at 3:12 PM, Rory Browne wrote:
>
>> I'm not completely sure, but I think they're talking shite. If curl is

I think I can smell it here too.

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация