开发者

Detect the vulnerability in this PHP - file [closed]

开发者 https://www.devze.com 2023-03-26 10:49 出处:网络
开发者_如何学Go As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references,or expertise, but this question will likely s
开发者_如何学Go As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance. Closed 11 years ago.

I have this link

http://example.com/example.php?link=<link>&title=<title>&bild=<picturelink>&named=<text>

each term in <> stands for a variable, which could be changed by a mean - spirited attacker.

<named> = domain-name of <link>

This is the handling php file

<?php
if(strpos($_GET[named],"known.com")!==false or 
   strpos($_GET[named],"known2.com")!==false or 
   strpos($_GET[named],"known3.com")!==false)
{
echo '<div align="center"><a href=' . 
     $_GET[link] . 
     ' target="_blank"><img alt="' . 
     htmlentities(utf8_decode($_GET[title])) . 
     '"  title="' . htmlentities(utf8_decode($_GET[title])) . 
     '"  src=' . $_GET[bild] . 
     '  border=0></a></div><br><br><b>' . 
     htmlentities(utf8_decode($_GET[title])) . 
     '</b><br><br><a  href=' . 
     htmlentities($_GET[link]) . 
     ' target="_blank" style="color: grey;">Text <i>' . 
     htmlentities(utf8_decode($_GET[title])) . '</i> text ' . 
     htmlentities($_GET[named]) . '!</a><br>(text)';
}
else
{
echo 'not allowed';
}
?>

How can it be attacked and which changes to the php file do you recommend?


Escape your data!!!

Any user input should not be able to be directly put into the HTML, or they can insert Javascript and steal sessions and what not.

Use something like this this: htmlspecialchars($_GET['link'])

See also: http://en.wikipedia.org/wiki/Cross-site_scripting#Exploit_scenarios


http://example.com/example.php?link=></a><script>alert('Pwned');</script><a&title=blaba&bild=blabla&named=known.com

This url produce following HTML:

<div align="center">
    <a href=></a>
        <script>alert('Pwned');</script>
    <a target="_blank">
        <img alt="blabla"  title="blabla"  src=blabla  border=0>
    </a>
</div>
<br><br>
<b>blabla</b><br><br>
<a  href=blabla target="_blank" style="color: grey;">Text <i>blabla</i> text known.com!</a><br>(text)

You can see a valid <script> tag in it


When printing these variables, you should convert them to entities at all times. So, in this case, you forgot a few variables.

$_CLEAN = array();
foreach($_GET as $key => $value) {
    $_CLEAN[$key] = htmlentities($value);
}

instead of echo'ing $_GET, you should echo $_CLEAN


Edit: Escape your Data from the Get Variables.

0

精彩评论

暂无评论...
验证码 换一张
取 消