I have this link
http://example.com/example.php?link=<link>&title=<title>&bild=<picturelink>&named=<text>
each term in <> stands for a variable, which could be changed by a mean - spirited attacker.
<named> = domain-name of <link>
This is the handling php file
<?php
if(strpos($_GET[named],"known.com")!==false or
strpos($_GET[named],"known2.com")!==false or
strpos($_GET[named],"known3.com")!==false)
{
echo '<div align="center"><a href=' .
$_GET[link] .
' target="_blank"><img alt="' .
htmlentities(utf8_decode($_GET[title])) .
'" title="' . htmlentities(utf8_decode($_GET[title])) .
'" src=' . $_GET[bild] .
' border=0></a></div><br><br><b>' .
htmlentities(utf8_decode($_GET[title])) .
'</b><br><br><a href=' .
htmlentities($_GET[link]) .
' target="_blank" style="color: grey;">Text <i>' .
htmlentities(utf8_decode($_GET[title])) . '</i> text ' .
htmlentities($_GET[named]) . '!</a><br>(text)';
}
else
{
echo 'not allowed';
}
?>
How can it be attacked and which changes to the php file do you recommend?
Escape your data!!!
Any user input should not be able to be directly put into the HTML, or they can insert Javascript and steal sessions and what not.
Use something like this this: htmlspecialchars($_GET['link'])
See also: http://en.wikipedia.org/wiki/Cross-site_scripting#Exploit_scenarios
http://example.com/example.php?link=></a><script>alert('Pwned');</script><a&title=blaba&bild=blabla&named=known.com
This url produce following HTML:
<div align="center">
<a href=></a>
<script>alert('Pwned');</script>
<a target="_blank">
<img alt="blabla" title="blabla" src=blabla border=0>
</a>
</div>
<br><br>
<b>blabla</b><br><br>
<a href=blabla target="_blank" style="color: grey;">Text <i>blabla</i> text known.com!</a><br>(text)
You can see a valid <script>
tag in it
When printing these variables, you should convert them to entities at all times. So, in this case, you forgot a few variables.
$_CLEAN = array();
foreach($_GET as $key => $value) {
$_CLEAN[$key] = htmlentities($value);
}
instead of echo'ing $_GET, you should echo $_CLEAN
Edit: Escape your Data from the Get Variables.
精彩评论