This is of questionable relevance, but I'm sure it can serve to
heighten awareness of vulnerabilities for those PHP'ers with similar
scripts that involve loading files based upon query string info.
We have installed Admin Secure over our PHP-Nuke CMS, and Admin Secure
recently sent us an email of
I would remove bad scripts like *Nuke.
Their code just sucks and has really lots of bugs.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Been having some hacker problems on my site, and a simple one:
I have a shoutbox, a simple form with name and text that adds lines to the
database. I do checks for insults, too long words, tags, etc, but its still
possible to circumvent those checks by adding the data on the url instead
of
You're checking with javascript, correct? If so, try checking
server-side too.
Pag wrote:
Been having some hacker problems on my site, and a simple one:
I have a shoutbox, a simple form with name and text that adds
lines to the database. I do checks for insults, too long words, tags,
]
Subject: [PHP] Hacker problem
Been having some hacker problems on my site, and a simple one:
I have a shoutbox, a simple form with name and text that adds
lines to the
database. I do checks for insults, too long words, tags, etc, but its
still
possible to circumvent those
-Original Message-
From: Pag [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 8:35 AM
To: [EMAIL PROTECTED]
Subject: [PHP] Hacker problem
Been having some hacker problems on my site, and a simple one:
I have a shoutbox, a simple form with name and text that adds
lines
that specific form. Hope this helps!
Brian Drexler
-Original Message-
From: Pag [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 8:35 AM
To: [EMAIL PROTECTED]
Subject: [PHP] Hacker problem
Been having some hacker problems on my site, and a simple one:
I have
How would one go about doing this?
-Original Message-
From: Dan Hardiker [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 8:44 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [PHP] Hacker problem
This could still be faked easily with a telnet
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 8:44 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [PHP] Hacker problem
This could still be faked easily with a telnet session and some fake
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Hacker problem
That's can still easily be spoofed. The only safe way is to validate
the form server-side.
[EMAIL PROTECTED] wrote:
Yes, theoretically...you could require it to be posted data. In order
to do this you would have to make
PROTECTED]
Sent: Wednesday, March 12, 2003 8:44 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [PHP] Hacker problem
This could still be faked easily with a telnet session and some fake
http
headers. Your only way of making sure is to create a serverside script
which
So we aren't actually validating where the data is coming from, we
are just validating the data?
-Original Message-
From: Leif K-Brooks [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 8:57 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Hacker problem
PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: [PHP] Hacker problem
Why don't you just do the swear filtering on shoutb.php, or wherever
it's actually
being inserted into the database?
On Wed, 2003-03-12 at 08:51, [EMAIL PROTECTED] wrote:
How would one go about doing this?
-Original
]
Sent: Wednesday, March 12, 2003 8:55 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: [PHP] Hacker problem
Why don't you just do the swear filtering on shoutb.php, or wherever
it's actually
being inserted
]
Subject: Re: [PHP] Hacker problem
if(stristr($text,'badword') or stristr($text,'badword2') or
strlen($text) maxlength){
die('Invalid!');
}
[EMAIL PROTECTED] wrote:
So how could you validate it server-side?
-Original Message-
From: Leif K-Brooks [ mailto:[EMAIL PROTECTED]
Sent: Wednesday
Thanks! That's all I needed to know.
-Original Message-
From: Leif K-Brooks [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 9:04 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Hacker problem
That's just not possible.
[EMAIL PROTECTED] wrote:
Swear
PROTECTED]
Sent: Wednesday, March 12, 2003 9:02 AM
Subject: RE: [PHP] Hacker problem
So we aren't actually validating where the data is coming from, we
are just validating the data?
-Original Message-
From: Leif K-Brooks [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 8:57
[EMAIL PROTECTED] wrote:
Swear filtering is easy, I want to know how to make sure the data is
coming from MY formI'm just picky like that. :-)
Hi,
I've done it via a ticket system
- into my form I've added field
input type=hidden name=ticket_to_ride value=32-byte long
generated ticket
-
:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 9:43 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Hacker problem
Importance: Low
[EMAIL PROTECTED] wrote:
Swear filtering is easy, I want to know how to make sure the data is
coming from MY formI'm just picky like
If you are really that strict about it coming from you site, have your
form
page create an image with five letter of number on it - like 4Y6O7. Have
it
create a new one each time. Then use crypt to encrypt it and put the
encrypted one into a form value, have the person that is submitting the
- A monthly magazine for PHP Professionals. Get your copy
today. http://www.phparch.com/
-Original Message-
From: Dennis Cole [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 8:54 PM
To: CPT John W. Holmes
Subject: RE: [PHP] Hacker problem
A script cannot read a number from
CPT John W. Holmes wrote:
This is no good unless you're saving the value server side somewhere. With
this method, I can still post to your page from anywhere, so long as I set
the two variables the same.
Who cares if the data came from your page, just validate it!
No matter what you do, it can be
My server is getting odd request form an outside computer. Upon looking into
the requests I have found his PHP Config file is point to my server as the
HTTP_VIA and other vars. I am wondering how I can deny him access since he
is forwarding all request through my server with these settings. My
block his ip at the router.
tyler
On Sun, 11 Aug 2002 16:21:07 -0600
RPS Internet [EMAIL PROTECTED] wrote:
My server is getting odd request form an outside computer. Upon
looking into the requests I have found his PHP Config file is point to
my server as the HTTP_VIA and other vars. I am
What about all the users of his web site that are requesting his php scrpts
that are compiling through my server?
-Original Message-
From: Tyler Longren [mailto:[EMAIL PROTECTED]]
Sent: Sunday, August 11, 2002 4:15 PM
To: RPS Internet
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Hacker
: Tyler Longren [mailto:[EMAIL PROTECTED]]
Sent: Sunday, August 11, 2002 4:15 PM
To: RPS Internet
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Hacker?
block his ip at the router.
tyler
On Sun, 11 Aug 2002 16:21:07 -0600
RPS Internet [EMAIL PROTECTED] wrote:
My server is getting odd
: Sunday, August 11, 2002 4:15 PM
To: RPS Internet
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Hacker?
block his ip at the router.
tyler
On Sun, 11 Aug 2002 16:21:07 -0600
RPS Internet [EMAIL PROTECTED] wrote:
My server is getting odd request form an outside computer. Upon
looking into the
27 matches
Mail list logo