- Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
- Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!
Reply to: PHP cross site scripting vulnerability
Collapse
You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:
- You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
- You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
- If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.
Logging in...
Previously on "PHP cross site scripting vulnerability"
Collapse
-
Originally posted by darrylmg View PostI'm not 100% sure, but could there not be an issue with $maxpage?
Some unscrupulous person could inject Javascript into the query string and it could pop out within the page and be executed.
The JS could then pull in some really malicious code via Ajax...
PHP Code:$maxpage = intval($_POST['maxpage'], 10);
// do sanity checking here, as an XSS attack or such would result in $maxpage being zero
Leave a comment:
-
I'm starting to wonder if their messages mean anything at all. Although this is the first email I got, I note a list of messages on their webpage. Site is ok, site has a problem, Site is ok, site has a problem, Site is ok, site has a problem.... Maybe it only has a problem on Mondays.
Leave a comment:
-
I'm not 100% sure, but could there not be an issue with $maxpage?
Some unscrupulous person could inject Javascript into the query string and it could pop out within the page and be executed.
The JS could then pull in some really malicious code via Ajax...
Leave a comment:
-
Originally posted by xoggoth View PostMuch cheers. Their message is a bit misleading but putting that for $page seems to have sorted it. I was already using HTML entities in the form to self post but not similarly protecting the page bit.
Glad you got it sorted!
Leave a comment:
-
Much cheers. Their message is a bit misleading but putting that for $page seems to have sorted it. I was already using HTML entities in the form to self post but not similarly protecting the page bit.
Leave a comment:
-
It's because you're using unsanitised variables directly within the script. As it happens, because you're just putting them into vanilla HTML then I don't think it's really a vulnerability (It's no different to what one could do with the Developer Tools in Chrome etc) but it'd get dangerous if you were putting them into any calls or DB queries.
Try using something like this: http://php.net/manual/en/function.htmlspecialchars.php
$page = htmlspecialchars($_POST['page']);Last edited by vwdan; 20 November 2014, 10:54.
Leave a comment:
-
PHP cross site scripting vulnerability
Got a Sitelock warning about
"Cross site scripting vulnerability found in args:back,fwd,maxpage,page"
This is a very simple page that allows you to click on a back or forward button and scroll between a set of pictures.
Eg forward button code:
if (isset($_POST['fwd']))
{
$page = $_POST['page'];
$maxpage = $_POST['maxpage'];
$page++;
if ($page>$maxpage)
{
$page = 1;
}
else
{
$fwd = "visible";
}
$back = "visible";
}
HTML stuff here
<?php
echo "<img src='month$page.jpg' width='950' alt='$page'>";
?>
more HTML
<form name="page" action="<?php echo htmlentities($_SERVER['PHP_SELF']); ?>" method="post">
<?php
echo <<<END
<div class="content-back"><input style="visibility:$back" type="submit" name="back" value=""></div>
<div class="content-fwd"><input style="visibility:$fwd" type="submit" name="fwd" value=""></div>
<input type='hidden' name='page' value='$page'>
<input type='hidden' name='maxpage' value='$maxpage'>
END;
Any ideas why that would be vulnerable? Cheers.Last edited by xoggoth; 20 November 2014, 10:41.Tags: None
- Home
- News & Features
- First Timers
- IR35 / S660 / BN66
- Employee Benefit Trusts
- Agency Workers Regulations
- MSC Legislation
- Limited Companies
- Dividends
- Umbrella Company
- VAT / Flat Rate VAT
- Job News & Guides
- Money News & Guides
- Guide to Contracts
- Successful Contracting
- Contracting Overseas
- Contractor Calculators
- MVL
- Contractor Expenses
Advertisers
Contractor Services
CUK News
- Streamline Your Retirement with iSIPP: A Solution for Contractor Pensions Sep 1 09:13
- Making the most of pension lump sums: overview for contractors Sep 1 08:36
- Umbrella company tribunal cases are opening up; are your wages subject to unlawful deductions, too? Aug 31 08:38
- Contractors, relabelling 'labour' as 'services' to appear 'fully contracted out' won't dupe IR35 inspectors Aug 31 08:30
- How often does HMRC check tax returns? Aug 30 08:27
- Work-life balance as an IT contractor: 5 top tips from a tech recruiter Aug 30 08:20
- Autumn Statement 2023 tipped to prioritise mental health, in a boost for UK workplaces Aug 29 08:33
- Final reminder for contractors to respond to the umbrella consultation (closing today) Aug 29 08:09
- Top 5 most in demand cyber security contract roles Aug 25 08:38
- Changes to the right to request flexible working are incoming, but how will contractors be affected? Aug 24 08:25
Leave a comment: