EvilZone
Hacking and Security => Hacking and Security => : invader7 December 13, 2013, 08:42:57 PM
-
Hello , i have a message form which saves the contents to database and shows it when requested , i used to filter some hardcoded tags like <?php ?> but i found it is vulnerable to <script>alert(1);</script>
Javascript is client side , so the vulnerability is dangerous only for clients (there are no clients till now). Is there any rush for me to patch this bug as soon as possible ? Is there any fear for compromising my server or find any info for the server ?
-
so then why don't don't you use regex and strip the tags, or just remove the text along with those tags...? however I am sure there are better ways to do it :P
-
so then why don't don't you use regex and strip the tags, or just remove the text along with those tags...? however I am sure there are better ways to do it :P
I don't want to remove all tags , im using regex to find the tags i want to remove but i didn't thought about script ! is this dangerous at the moment i have to rush ? Always talking for the server !
-
Yes, patch it. You never want something that can run scripts or code without your direct control over. Having clients being able to store and run scripts is bad.
-
Thanks !! i will , i im controlling tags like this :
if user wants to post <?php echo phpinfo(); ?> i will make it <!--?php echo phpinfo(); ?-->
is this enough ?
im using php 5.3.3
-
Why not remove or reject the entries?
-
Why not remove or reject the entries?
Don't know just a quick thought , is it insecure way ? or just a waste..
-
It's a quick and dirty way, but removing the entries all together would be ideal.
-
It's a quick and dirty way, but removing the entries all together would be ideal.
thanks !!
-
This is a classic XSS example. I suggest you read up on it. Why don't you just filter everything with htmlspecialchars() or htmlentities()? I sure hope you are escaping the database query with PDO prepared statements or mysql_real_escape_string()
-
This is a classic XSS example. I suggest you read up on it. Why don't you just filter everything with htmlspecialchars() or htmlentities()? I sure hope you are escaping the database query with PDO prepared statements or mysql_real_escape_string()
Yes i have my queries secured thanks !! I know im XSS vulnerable right now but its ok because im in development stage , for one moment i thought that im exposing my server to a server side script. But im safe ! Client side attacks are harmless for the server (i think :P )
-
Yes i have my queries secured thanks !! I know im XSS vulnerable right now but its ok because im in development stage , for one moment i thought that im exposing my server to a server side script. But im safe ! Client side attacks are harmless for the server (i think :P )
Client side attacks (XSS) would allow an attacker to steal your session(s)/cookies and be logged in (if there is a login) without even typing username/password. But you are correct. XSS cannot harm the server directly.
-
Client side attacks (XSS) would allow an attacker to steal your session(s)/cookies and be logged in (if there is a login) without even typing username/password. But you are correct. XSS cannot harm the server directly.
Yes i know about cookie stealing , i was afraid about posting <?php tags to my messages. Thanks a lot for your time !! I appreciate it !
-
Yes i know about cookie stealing , i was afraid about posting <?php tags to my messages. Thanks a lot for your time !! I appreciate it !
The PHP tags/code wouldn't be able to execute unless you ran it through eval().
-
The PHP tags/code wouldn't be able to execute unless you ran it through eval().
What do you mean , how i'm supposed to run eval() if i cant enclose it at <?php tag ?
-
What do you mean , how i'm supposed to run eval() if i cant enclose it at <?php tag ?
No. What I mean is that it is not directly dangerous to store PHP code in the database as it will not be executed if just print it to page. In order for that to be dangerous you will have to run the database result in the eval() function for it to execute.
-
No. What I mean is that it is not directly dangerous to store PHP code in the database as it will not be executed if just print it to page. In order for that to be dangerous you will have to run the database result in the eval() function for it to execute.
Yes :) ok thanks a lot !!!
-
I think you're missing the idea here
Security should be designed into your software, not added in as an after thought. This whole "it doesnt matter its a quick fix now" ideology is stupid
Design the software with security in mind, dont design it to have security patched in later. It will not be as effective.
I think your thoughts are right , thanks !
You take input and sanitize it.
Lets say if you check for that string specifically... would it cover
<?php echo phpinfo(INFO_MODULES); ?> or any number of other ways it can be modified? how about every other way other tags can possibly be implemented? You dont strip entire bits of code... you strip santize what makes it code.
No this isn't dangerous because im searching for <?php , not the whole phpinfo()... so when i find <?php i make it <!--?php
-
Honestly you should just use htmlspecialchars() or htmlentities(), either on insert or on output from DB.
-
and youve obviously made sure short tags and such are disabled as well?
obviously yes :) you mean <? <?= , im searching for 2 characters <? , something else in mind ?
Honestly you should just use htmlspecialchars() or htmlentities(), either on insert or on output from DB.
Yes you are right ! , its a targeted product for a closed group of people who are not supposed to hack it and its on production. But you are right , i will follow :)
The best way to write safer code is manage to bypass your own code and then improve it ;)
-
Yes you are right ! , its a targeted product for a closed group of people who are not supposed to hack it and its on production. But you are right , i will follow :)
I was a "production" employee at an ISP tech support center, the amount of fail they had in there systems was epic. People like me, and people like in "production" WILL break things. Don't assume all others are stupid. I ran circles around the IT at my last job, and they all thought it was my supervisor. I quite on my own terms and my supervisor is still there, just don't underestimate the little guys. I did stuff to break systems in a few jobs I had, Lulz use putty again I DARE ya Mr telemarketer.
-
I was a "production" employee at an ISP tech support center, the amount of fail they had in there systems was epic. People like me, and people like in "production" WILL break things. Don't assume all others are stupid. I ran circles around the IT at my last job, and they all thought it was my supervisor. I quite on my own terms and my supervisor is still there, just don't underestimate the little guys. I did stuff to break systems in a few jobs I had, Lulz use putty again I DARE ya Mr telemarketer.
production = developement , sorry my mistake !! i wanted to write developement stage not production !!!