Bill H wrote:The problem is that without validation it's possible for an attacker to use that form for an XSS attack.
The ignorance (stupidity?) continues.
What would that validation consist of to prevent that?
I'm no expert in web security, but...
I'm guessing
PHP_SELF is initialized by looking at the script name stored in HTTP headers...
So I imagine that using
SCRIPT_NAME or __FILE__ or something similiar would be better, because their likely initialized on the server, by the server, using environment variables, preventing outside tampering...
Would be my guess anyways...
I'm not totally clear on how XSS works, but i'm pretty sure it works like:
You use a variable like:
PHP_SELF inside FORM elements action attribute.
You don't hardcode the URL but simply do...
Code: Select all
<form action="<?=$_SERVER['PHP_SELF'];?>">
<!-- ...various input elements, etc... -->
</form>
Someone could potentially use your web site now to carry out DoS attacks on another site...
All they would have to do is spoof
PHP_SELF to something like:
http://www.somedomain.com and submit that web site FORM which would send an HTTP GET/POST request to
http://www.somedomain.com instead of the intended website...
http://www.somedomain.com would then have a log of your web site sending abnormal amounts of requests to their web site, mean while you haven't done F' all but still get in trouble...and the script kiddy walks because he spoofs his own IP when calling your troubled script...
This is what I am guessing anyways...
If a script kiddy found enough sites with holes like this they could then possibly carry out DDoS attacks...which is more of a threat...
So I guess comparing
PHP_SELF to
SCRIPT_NAME or hardcoding a URL and just appending
PHP_SELF to it would likely fix that problem...
Of course this is all an educated guess...so if I'm wrong someone jump in and correct me...
I'm curious
p.s-
www.codeproject.com was hacked by a javascript programmer...the message forums allowed javascript and somehow someone figured out how get a script to execute when their message was displayed...so they changed the URL's of the adBanners to some pornographic ad banners instead...whenever someone read their message or entire thread I think it was
Bored or what??? Who thinks of these things
