[phplib-dev] cross site scripting attack

Wed, 28 Feb 2001 04:57:46 -0800 

Hi,

with PHP lib 7.2b (and it seems no different in CVS) there's a cross site 
scripting attack possible.

Anyone can use such a link to break out of the input field:
http://server/home.php?username=X">YYY
(home.php needs to be a page that's protected with my_Auth)

This is a problem since any code, escpecially javascript code, can then be 
placed on the page. This can be used to get a user's password.

More general information is here:
http://www.cert.org/advisories/CA-2000-02.html

The attached patch is supposed to fix the problem for crloginform.ihtml. 
It would be great if someone with CVS write access could check + apply it 
(also for at least the other login form file. I don't know about other 
places, since I'm not so familiar with PHP lib).

Regards
 Daniel

-- 
Daniel Naber, Paul-Gerhardt-Str. 2, 33332 Guetersloh, Germany
Tel. 05241-59371, Mobil 0170-4819674

--- crloginform.ihtml.org       Sun Feb 11 20:30:26 2001
+++ crloginform.ihtml   Sun Feb 11 20:30:59 2001
@@ -41,6 +41,17 @@
 </script>
 </head>
 
+<?
+// Escape stuff that gets printed to page to avoid cross site scripting:
+function escape($string) {
+       $string = preg_replace("/&/", "&amp;", $string);
+       $string = preg_replace("/\"/", "&quot;", $string);
+       $string = preg_replace("/</", "&lt;", $string);
+       $string = preg_replace("/>/", "&gt;", $string);
+       return $string;
+}
+?>
+
 <body bgcolor="#ffffff">
 <h1>Test for Login</h1>
 
@@ -48,11 +59,11 @@
 
 Please identify yourself with a username and a password:<br>
 
-<form name="login" action="<?php print $this->url() ?>" method=post>
+<form name="login" action="<?php print escape($this->url()) ?>" method=post>
 <table border=0 bgcolor="#eeeeee" align="center" cellspacing=0 cellpadding=4>
  <tr valign=top align=left>
   <td>Username:</td>
-  <td><input type="text" name="username" value="<?php print 
(isset($this->auth["uname"]) ? $this->auth["uname"] : "" ) ?>" size=32 
maxlength=32></td>
+  <td><input type="text" name="username" value="<?php print 
+(isset($this->auth["uname"]) ? escape($this->auth["uname"]) : "" ) ?>" size=32 
+maxlength=32></td>
  </tr>
  
  <tr valign=top align=left>

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to