|
Posted by Jochem Maas on 10/11/05 04:53
Charles Stuart wrote:
> A student run server on my old campus used to turn off PHP for security
> reasons - ridiculous.
>
> Would it be possible to use XSS to call curl from a remote site? I'm
> just a beginner so that may or not make sense.
I'm not really a beginner but I don't know if that makes sense either :-S
I'm pretty sure the answer is no.
>
> Indeed it does seem like JS is the solution - unfortunately - as it
workaround, not solution. a new host would be a solution,
one that means you don't have to waste time coding around completely
crazy setups.
> seems like their 'trap' catches any string including CURL U before I
seems like a total bogus filter. exactly what makes 'CURL U' so evil when
passed to a php/cgi script anyway?
> can str_replace the string after gathering the input with _POST. Anyone
> disagree?
well you could check out something like:
<?
$putdata = fopen( "php://input" , "rb" );
while(!feof( $putdata ))
echo fread($putdata, 4096 );
fclose($putdata);
?>
or
<?
echo file_get_contents('php://input');
?>
or
<?
echo $HTTP_RAW_POST_DATA;
?>
>
>
>
> best,
>
> Charles
>
>
>
> On Oct 10, 2005, at 3:12 PM, Rory Browne wrote:
>
>> I'm not completely sure, but I think they're talking shite. If curl is
I think I can smell it here too.
[Back to original message]
|