Posted: Mon Apr 09, 2007 8:00 pm
I can't take credit for that typecasting quirk: it's been bouncing around ha.ckers.org for some time. A few more gems:
Is vulnerable because the ereg functions are not binary safe, and thus a null byte will cause the ereg engine to ignore anything coming after. The user-education bit that comes along with this is, quite simply, don't use the ereg functions!
Which is vulnerable in Internet Explorer 6 due to character encoding issues: try passing ?id=%EF&content=%22%20onmouseover=%22alert('xss')%22>asdf to the script and you'll see what I mean. The moral of the story here is: 1. Don't allow unescaped quotes in your text, 2. Don't use strip_tags and 3. Check all your strings for UTF-8 well-formedness!
While I love PHP and believe it's absolutely awesome, these are some cases where certain architectural designs have resulted in seemingly innocuous bits of code being security risks. I was surprised by all three of these problems when I first heard about them, as well as when I heard about this new one by Esser. I believe it's important that we not write these problems off as "real, but difficult to exploit." Instead, we should file them away, and provide them as compelling reasons why newbies should adopt what we call "best practices".
Code: Select all
$id = $content = 'default';
if(isset($_GET['id'])) {
$id = stripslashes($_GET['id']);
}
if(isset($_GET['content'])) {
$content = stripslashes($_GET['content']);
}
if(!eregi('^[a-z[]]*$',$id) || !eregi('^[a-z[]]*$',$content)) {
$id = $content = 'default';
}Code: Select all
$id = $content = 'default';
if(isset($_GET['id'])) {
$id = stripslashes($_GET['id']);
}
if(isset($_GET['content'])) {
$content = stripslashes($_GET['content']);
}
<p id="<?php echo htmlspecialchars($id,ENT_QUOTES); ?>"><?php echo strip_tags($content); ?></p>While I love PHP and believe it's absolutely awesome, these are some cases where certain architectural designs have resulted in seemingly innocuous bits of code being security risks. I was surprised by all three of these problems when I first heard about them, as well as when I heard about this new one by Esser. I believe it's important that we not write these problems off as "real, but difficult to exploit." Instead, we should file them away, and provide them as compelling reasons why newbies should adopt what we call "best practices".