Re: [PHP] Re: Cross site scripting

2009-06-09 Thread Nitsan Bin-Nun 
XSS or Cross Site Scripting is the ability to inject malicious
javascript or HTML to the $_POST or $_GET variables, and at the bottom
line - to get them printed and output-ed to the client through the
HTML code of the page.

In order to avoid such security issues all you have to do is to
sanitise the $_GET and $_POST input before output-ing them to the
browser. Check out htmlentities() and similar stuff.

On Tue, Jun 9, 2009 at 8:47 PM, Skip Evans wrote:
> Well, the function filter_input(INPUT_GET, 'kw', FILTER_SANITIZE_ENCODED);
>
> ...seemed to take care of the example on the report by Security Metrics.
>
> Am I on the right track here, at least?
>
> I'm reading pages on 'sanitizing PHP input'. Is that where I should be
> headed?
>
> Skip
>
> Shawn McKenzie wrote:
>>
>> Skip Evans wrote:
>>>
>>> Hey all,
>>>
>>> You may have seen my earlier message about a current client whose site
>>> I've taken over maintenance on that is trying to get PCI Compliance from
>>> Security Metrics. I've put all the forms behind https and a couple of
>>> other things, but this one I don't know how to solve. I'll read up on
>>> cross site scripting, but could someone help me understand what they
>>> believe the vulnerability is in their notes below?
>>>
>>> Thanks,
>>> Skip
>>>
>>> Possible cross site scripting on http://www.ranghart.com/index.php
>>>
>>> Use the following commands to verify this: wp --inject
>>>
>>>
>>> "http://www.ranghart.com/index.php?action=searchkw=SEARCH%22%3E%3Cscript%3Ealert%28123%29%3C%
>>>
>>> TCP http/https 4
>>>                 curl -L
>>>
>>>
>>> "http://www.ranghart.com/index.php?action=searchkw=SEARCH%22%3E%3Cscript%3Ealert%28123%29%3C%
>>>
>>>                 grep "123" This website may have other injection
>>> related vulnerabilities.
>>>
>>
>> Well, their example is not correct, try:
>>
>> http://www.ranghart.com/index.php?action=search&kw=SEARCH%3Cscript%3Ealert%28"Im
>> doing some nasty JavaScipt hacking here!"%29%3B%3C%2Fscript%3E in a
>> browser.
>>
>> This means that you're not validating/sanitizing input.  You can't just
>> take the contents of a $_GET, $_POST, etc. (any user input) variable and
>> echo it out.
>>
>
> --
> 
> Skip Evans
> Big Sky Penguin, LLC
> 503 S Baldwin St, #1
> Madison WI 53703
> 608.250.2720
> http://bigskypenguin.com
> 
> Those of you who believe in
> telekinesis, raise my hand.
>  -- Kurt Vonnegut
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: Cross site scripting

2009-06-09 Thread Skip Evans 
Well, the function filter_input(INPUT_GET, 'kw', 
FILTER_SANITIZE_ENCODED);


...seemed to take care of the example on the report by 
Security Metrics.


Am I on the right track here, at least?

I'm reading pages on 'sanitizing PHP input'. Is that where I 
should be headed?


Skip

Shawn McKenzie wrote:

Skip Evans wrote:

Hey all,

You may have seen my earlier message about a current client whose site
I've taken over maintenance on that is trying to get PCI Compliance from
Security Metrics. I've put all the forms behind https and a couple of
other things, but this one I don't know how to solve. I'll read up on
cross site scripting, but could someone help me understand what they
believe the vulnerability is in their notes below?

Thanks,
Skip

Possible cross site scripting on http://www.ranghart.com/index.php

Use the following commands to verify this: wp --inject

"http://www.ranghart.com/index.php?action=searchkw=SEARCH%22%3E%3Cscript%3Ealert%28123%29%3C%

TCP http/https 4
 curl -L

"http://www.ranghart.com/index.php?action=searchkw=SEARCH%22%3E%3Cscript%3Ealert%28123%29%3C%

 grep "123" This website may have other injection
related vulnerabilities.



Well, their example is not correct, try:
http://www.ranghart.com/index.php?action=search&kw=SEARCH%3Cscript%3Ealert%28"Im
doing some nasty JavaScipt hacking here!"%29%3B%3C%2Fscript%3E in a browser.

This means that you're not validating/sanitizing input.  You can't just
take the contents of a $_GET, $_POST, etc. (any user input) variable and
echo it out.



--

Skip Evans
Big Sky Penguin, LLC
503 S Baldwin St, #1
Madison WI 53703
608.250.2720
http://bigskypenguin.com

Those of you who believe in
telekinesis, raise my hand.
 -- Kurt Vonnegut

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php