I recently went on a PHP course and I was impressed that from minute one the trainer was hammering home the fact that we need to code defensively.
Specifically escaping user input for these and other nasty sql-injection techniques hackers use. It really opened my eyes to how vulnerable a system could be. Let's be careful out there people ;) James. On 25/5/07 00:46, "Aparajita Fishman" <[EMAIL PROTECTED]> wrote: >> Not sure if it's related, but access to my "logs" directory was >> another "low" concern which I have now blocked access to. I >> noticed the log directory was listed in the URL below, and maybe >> the two were related. I have some 3rd party software which >> analysis my web logs nightly and generates html reports within the >> logs directory. > > It is up to you to protect the logs directory within an http security > realm. > > >> http://test.superiorbag.com:80/logs?><script>alert('XSS');</script> >> >> The handling of certain HTTP requests that produce "302 Object >> Moved" responses allows attackers to launch cross-site scripting >> attacks. When the server receives an HTTP request for a directory >> without a trailing slash, it returns a 302 Object Moved error >> message, redirecting the client to the requested directory, with a >> forward slash. Also included in the body of the HTTP response are >> any GET parameters that were including in the original request. >> These parameters are not properly sanitized for malicious content >> before being returned to the client. > > What this is saying is that when a request for the above url is made, > Active4D redirects to: > > http://test.superiorbag.com:80/logs/?><script>alert('XSS');</script> > > Within the body of the redirect is a link which looks like this if > you use Safari or IE (but not Mozilla-based browsers): > > <a href="http://test.superiorbag.com:80/logs/?><script>alert('XSS');</ > script>">Click here</a> > > That is what the test was complaining about. However, none of the > browsers I have tested (even IE6), will actually execute that > Javascript. > > What EVERYONE should be careful of is not to write values that come > from user input (or the database) to the page without using > 'escape' (in Javascript) or 'mac to html' (in Active4D). > > For example, if you allow a user to enter something through the web > which gets stored in the database, they could enter a bunch of > javascript code. If you subsequently write the value to the screen, > the javascript will get executed. In fact my demo suffers from this > vulnerability. Doh! > > Anyway, the bottom line in this case is that it is a false positive, > although I will make a change to Active4D so that the query in a > redirect is url encoded, which effectively sanitizes it. > > Regards, > > Aparajita > www.aparajitaworld.com > > "If you dare to fail, you are bound to succeed." > - Sri Chinmoy | www.srichinmoylibrary.com > > > _______________________________________________ > Active4D-dev mailing list > [email protected] > http://mailman.aparajitaworld.com/mailman/listinfo/active4d-dev > Archives: http://mailman.aparajitaworld.com/archive/active4d-dev/ _______________________________________________ Active4D-dev mailing list [email protected] http://mailman.aparajitaworld.com/mailman/listinfo/active4d-dev Archives: http://mailman.aparajitaworld.com/archive/active4d-dev/
