WebApp Sec mailing list archives

XSS help

From: "Serg B." <serg () dodo com au>
Date: Mon, 09 Aug 2004 23:12:34 +1000

Hi All,

I am testing a site and came across a scenario where there is a login
form displayed on front page with a form heading that is displayed by
being passed in, from GET variable by appending it to the URL.

E.g.:
   www.mydomain.com/form.php?var=Welcvome+To...

So obvious first thing was to fiddle around with some JS and I was able
to successfully pass in:

var=<script>alert(document.cookie)</script>
(JavaScript)
classic XSS, if there is such a thing.

So this leads me to the next thought. Is it at all possible to execute
an arbitrary server side code on the server via this bug?

E.g.:
   www.mydomain.com/form.php?var=<?php echo 'test' ?>

This was unsuccessful since quotes (both ' and ") got escaped. I then
tried:
   www.mydomain.com/form.php?var=<?php echo 1 ?>

Which echoed everything, PHP tags, code, etc (from looking at page
source). I also tried to wrap all of this business in JS escape function
with no luck.

So the question is how I could run PHP (not JavaScript, since that was
covered in numerous papers and presentations...) from what I found.

   Thanx,
      Serg

Current thread:

XSS help Serg B. (Aug 09)
- Re: XSS help Dan Daggett (Aug 09)
- Re: XSS help David Precious (Aug 09)
  - RE: XSS help Mike Andrews (Aug 09)
  - Re: XSS help Serg B. (Aug 09)
    - RE: XSS help Matt Szubrycht (Aug 09)
    - Re: XSS help Blake Schneider (Aug 13)
    - unsubsribe Riccardo Tempesta (Aug 17)
- <Possible follow-ups>
- Re: XSS help focus (Aug 09)