WebApp Sec mailing list archives
Re: XSS help
From: David Precious <davidp () pipex net>
Date: Mon, 9 Aug 2004 17:05:59 +0100
On Monday 09 August 2004 14:12, Serg B. wrote:
Hi All, I am testing a site and came across a scenario where there is a login form displayed on front page with a form heading that is displayed by being passed in, from GET variable by appending it to the URL.
<snip>
So this leads me to the next thought. Is it at all possible to execute an arbitrary server side code on the server via this bug? E.g.: www.mydomain.com/form.php?var=<?php echo 'test' ?> This was unsuccessful since quotes (both ' and ") got escaped. I then tried: www.mydomain.com/form.php?var=<?php echo 1 ?> Which echoed everything, PHP tags, code, etc (from looking at page source). I also tried to wrap all of this business in JS escape function with no luck. So the question is how I could run PHP (not JavaScript, since that was covered in numerous papers and presentations...) from what I found.
No, the PHP script will just be echo'ing out the 'var' variable - it should not be attempting to execute it. Because the coder hasn't taken precautions to clean the input, it will happily output the Javascript you've given it so that the browser will execute it, but it will not execute any PHP code - it'll just get returned to the browser as-is. Cheers David P
Current thread:
- XSS help Serg B. (Aug 09)
- Re: XSS help Dan Daggett (Aug 09)
- Re: XSS help David Precious (Aug 09)
- RE: XSS help Mike Andrews (Aug 09)
- Re: XSS help Serg B. (Aug 09)
- RE: XSS help Matt Szubrycht (Aug 09)
- Re: XSS help Blake Schneider (Aug 13)
- unsubsribe Riccardo Tempesta (Aug 17)
- <Possible follow-ups>
- Re: XSS help focus (Aug 09)