Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
I realize that, but what are the exploits and more importantly what is the fix?
The data is secured on the backend before querying DB, etc. So it's only XSS I'm worried about although I'm not sure if there is a potential for problems or not, other than cookie theft.
But what good that would do, I don't know. It's not persisted so you would only ever get your own cookie information. Unless I'm missing something,which is what I am wondering.
Haha. Fair enough. I am curious to know what kind of exploit(s) could be executed by simplying echo'ing GPC variables to an IFRAME URL.
I assume it is similer to XSS exploits found in FORM action attributes and <?php echo $_SERVER['PHP_SELF'] ?>
The only time I am personally aware of issue (that I can think of anyways) is when data from a storage is echo'ed without escaping. But just outputting GPC data, would only allow an attacker to exploit his/her own session.
htmlspecialchars() would solve any XSS in the sense that you seem to be referring to.
However, there could be other XSS issues in what the page is actually capable of doing from the GET variables.
Hockey wrote:But just outputting GPC data, would only allow an attacker to exploit his/her own session.
... No, that's not true. That is why XSS is dangerous because all they need is a URL and a way to get people too visit the URL. Through a link.. Through a src attribute... Through a redirection... Anything can do it. As long as you trust GET requests, you're open to XSS. It's just a matter of how much damage it can do.
superdezign wrote:htmlspecialchars() would solve any XSS in the sense that you seem to be referring to.
However, there could be other XSS issues in what the page is actually capable of doing from the GET variables.
Hockey wrote:But just outputting GPC data, would only allow an attacker to exploit his/her own session.
... No, that's not true. That is why XSS is dangerous because all they need is a URL and a way to get people too visit the URL. Through a link.. Through a src attribute... Through a redirection... Anything can do it. As long as you trust GET requests, you're open to XSS. It's just a matter of how much damage it can do.
Ok thats what was running through the back of my mind, but I"m still not clear on how an exploit can be executed. Can you elaborate?
Using my example (initial post) how can that be exploited?
For starters, I think the function I use doesn't even concern itself with anything before '?' only appending name=value pairs which would reproduce the URL as shown. Which I can't see as harmful because you cannot invoke JS unless the protocol is specified properly.
I am curious to see how this can be done, using unescaped GPC data.