On 4/26/07, Rob Marscher <[EMAIL PROTECTED]> wrote:
How ever can someone inject their code/script onto my webpage? The code is on my server so they don't have access to it. Am I missing something here? If you allow the user to submit anything that is then displayed our your site, they can inject javascript code unless you do a very good job "sanitizing" the user input.
And the submission may not just be limited to $_GET and $_POST... many of the $_SERVER vars can be problematic as well. The example Chris gave about Google's old 404 page, where it echoed the requested URI without escaping it first, could have been exploited by sending the following link to someone. I don't remember the mechanism exactly, but perhaps something like: <a href="http://www.google.com/something/not/found/%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E";>hey victim, click here</a> Given that link, if Google were to echo the value of $_SERVER['SCRIPT_URL'] without escaping, it would inject <script>alert('XSS');</script> into the page. -- Chris Snyder http://chxo.com/ _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
