Re: XSS help

[David Precious <davidp () pipex net>]

On Monday 09 August 2004 14:12, Serg B. wrote:
> Hi All,
>
> I am testing a site and came across a scenario where there is a login
> form displayed on front page with a form heading that is displayed by
> being passed in, from GET variable by appending it to the URL.
<snip>

> So this leads me to the next thought. Is it at all possible to
> execute an arbitrary server side code on the server via this bug?
>
> E.g.:
>    www.mydomain.com/form.php?var=<?php echo 'test' ?>
>
> This was unsuccessful since quotes (both ' and ") got escaped. I then
> tried:
>    www.mydomain.com/form.php?var=<?php echo 1 ?>
>
> Which echoed everything, PHP tags, code, etc (from looking at page
> source). I also tried to wrap all of this business in JS escape
> function with no luck.
>
> So the question is how I could run PHP (not JavaScript, since that
> was covered in numerous papers and presentations...) from what I
> found.

No, the PHP script will just be echo'ing out the 'var' variable - it 
should not be attempting to execute it.  

Because the coder hasn't taken precautions to clean the input, it will 
happily output the Javascript you've given it so that the browser will 
execute it, but it will not execute any PHP code - it'll just get 
returned to the browser as-is.

Cheers

David P