WebApp Sec mailing list archives
RE: XSS help
From: "Matt Szubrycht" <matt () bmihosting com>
Date: Mon, 9 Aug 2004 15:18:18 -0400
Serg, Once PHP is executed on the server, the browser cannot see the PHP source code. Regards, Matt : -----Original Message----- : From: Serg B. [mailto:serg () dodo com au] : Sent: Monday, August 09, 2004 1:12 PM : To: webappsec () securityfocus com : Subject: Re: XSS help : : : Thanx All, : : Onother, possibly silly question but i dont know the : answer... Is there a way to view source code (of php script) : somehow through envoking JS. I mean I know one is server : other is client side but still : rather interested if thats possible. : : Serg : : On Tue, 2004-08-10 at 02:05, David Precious wrote: : > On Monday 09 August 2004 14:12, Serg B. wrote: : > > Hi All, : > > : > > I am testing a site and came across a scenario where there is a : > > login form displayed on front page with a form heading that is : > > displayed by being passed in, from GET variable by : appending it to : > > the URL. : > > : > <snip> : > : > > So this leads me to the next thought. Is it at all possible to : > > execute an arbitrary server side code on the server via this bug? : > > : > > E.g.: : > > www.mydomain.com/form.php?var=<?php echo 'test' ?> : > > : > > This was unsuccessful since quotes (both ' and ") got escaped. I : > > then : > > tried: : > > www.mydomain.com/form.php?var=<?php echo 1 ?> : > > : > > Which echoed everything, PHP tags, code, etc (from : looking at page : > > source). I also tried to wrap all of this business in JS escape : > > function with no luck. : > > : > > So the question is how I could run PHP (not JavaScript, : since that : > > was covered in numerous papers and presentations...) from what I : > > found. : > : > No, the PHP script will just be echo'ing out the 'var' variable - it : > should not be attempting to execute it. : > : > Because the coder hasn't taken precautions to clean the : input, it will : > happily output the Javascript you've given it so that the : browser will : > execute it, but it will not execute any PHP code - it'll just get : > returned to the browser as-is. : > : > Cheers : > : > David P : > : > : :
Current thread:
- XSS help Serg B. (Aug 09)
- Re: XSS help Dan Daggett (Aug 09)
- Re: XSS help David Precious (Aug 09)
- RE: XSS help Mike Andrews (Aug 09)
- Re: XSS help Serg B. (Aug 09)
- RE: XSS help Matt Szubrycht (Aug 09)
- Re: XSS help Blake Schneider (Aug 13)
- unsubsribe Riccardo Tempesta (Aug 17)
- <Possible follow-ups>
- Re: XSS help focus (Aug 09)