WebApp Sec mailing list archives

RE: XSS help

From: "Matt Szubrycht" <matt () bmihosting com>
Date: Mon, 9 Aug 2004 15:18:18 -0400

Serg,

Once PHP is executed on the server, the browser cannot see the PHP
source code.

Regards,
Matt
  
 


: -----Original Message-----
: From: Serg B. [mailto:serg () dodo com au] 
: Sent: Monday, August 09, 2004 1:12 PM
: To: webappsec () securityfocus com
: Subject: Re: XSS help
: 
: 
: Thanx All,
: 
: Onother, possibly silly question but i dont know the 
: answer... Is there a way to view source code (of php script) 
: somehow through envoking JS. I mean I know one is server 
: other is client side but still
: rather interested if thats possible.   
: 
:    Serg
: 
: On Tue, 2004-08-10 at 02:05, David Precious wrote:
: > On Monday 09 August 2004 14:12, Serg B. wrote:
: > > Hi All,
: > >
: > > I am testing a site and came across a scenario where there is a 
: > > login form displayed on front page with a form heading that is 
: > > displayed by being passed in, from GET variable by 
: appending it to 
: > > the URL.
: > >
: > <snip>
: > 
: > > So this leads me to the next thought. Is it at all possible to 
: > > execute an arbitrary server side code on the server via this bug?
: > >
: > > E.g.:
: > >    www.mydomain.com/form.php?var=<?php echo 'test' ?>
: > >
: > > This was unsuccessful since quotes (both ' and ") got escaped. I 
: > > then
: > > tried:
: > >    www.mydomain.com/form.php?var=<?php echo 1 ?>
: > >
: > > Which echoed everything, PHP tags, code, etc (from 
: looking at page 
: > > source). I also tried to wrap all of this business in JS escape 
: > > function with no luck.
: > >
: > > So the question is how I could run PHP (not JavaScript, 
: since that 
: > > was covered in numerous papers and presentations...) from what I 
: > > found.
: > 
: > No, the PHP script will just be echo'ing out the 'var' variable - it
: > should not be attempting to execute it.  
: > 
: > Because the coder hasn't taken precautions to clean the 
: input, it will
: > happily output the Javascript you've given it so that the 
: browser will 
: > execute it, but it will not execute any PHP code - it'll just get 
: > returned to the browser as-is.
: > 
: > Cheers
: > 
: > David P
: > 
: > 
: 
:

Current thread:

XSS help Serg B. (Aug 09)
- Re: XSS help Dan Daggett (Aug 09)
- Re: XSS help David Precious (Aug 09)
  - RE: XSS help Mike Andrews (Aug 09)
  - Re: XSS help Serg B. (Aug 09)
    - RE: XSS help Matt Szubrycht (Aug 09)
    - Re: XSS help Blake Schneider (Aug 13)
    - unsubsribe Riccardo Tempesta (Aug 17)
- <Possible follow-ups>
- Re: XSS help focus (Aug 09)