Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 11 of 11
  1. #1
    New Coder
    Join Date
    Dec 2007
    Posts
    96
    Thanks
    8
    Thanked 1 Time in 1 Post

    Vulnerables in $_POST

    Hi guys
    I did a scan for my site with "Acunetix Web Vulnerability Scanner"
    and I found 4 Vulnerables in my registration page, all of them are about $_post.
    I have a function "escapestring" that validate the $_POST before its continue (escapestring($_POST))
    PHP Code:
    function EscapeString($text){
        
    $text htmlentities($text,ENT_NOQUOTES"UTF-8");
        
            
    $text mysql_real_escape_string($text);
        
        return 
    $text;


    But it seems its not enough cuz it returned the 4 vulnerables about each $_post

    The POST variable name has been set to >"><ScRiPt&#37;20%0a%0d>alert(39490.5803280903)%3B</ScRiPt>.

    The POST variable name has been set to "+onmouseover=alert(39672.5858216319)+.

    The POST variable name has been set to %00"'><ScRiPt%20%0a%0d>alert(39676.5858217477)%3B</ScRiPt>.

    The POST variable name has been set to %00'"><ScRiPt%20%0a%0d>alert(39675.5858217477)%3B</ScRiPt>.

    How can write a safe function to prevent those attacks??
    Last edited by skmd; 01-10-2008 at 02:27 PM.

  • #2
    UE Antagonizer Fumigator's Avatar
    Join Date
    Dec 2005
    Location
    Utah, USA, Northwestern hemisphere, Earth, Solar System, Milky Way Galaxy, Alpha Quadrant
    Posts
    7,691
    Thanks
    42
    Thanked 637 Times in 625 Posts
    Use strip_tags() to remove tags inside any string.

  • #3
    Senior Coder nikos101's Avatar
    Join Date
    Dec 2006
    Location
    London
    Posts
    1,005
    Thanks
    58
    Thanked 10 Times in 10 Posts
    sorry for being noobish but how is

    >"><ScRiPt&#37;20%0a%0d>alert(39490.5803280903)%3B</ScRiPt>.

    an attack?


  • #4
    UE Antagonizer Fumigator's Avatar
    Join Date
    Dec 2005
    Location
    Utah, USA, Northwestern hemisphere, Earth, Solar System, Milky Way Galaxy, Alpha Quadrant
    Posts
    7,691
    Thanks
    42
    Thanked 637 Times in 625 Posts
    If your PHP script just spits back what is entered on a form, and what is entered is Javascript that redirects your page, creates 100 popups, completely rewrites your page, adds a marquee, for godsake-- you don't call that an attack?

    So yeah any <script> tags need to be denied for sure.

  • #5
    Senior Coder nikos101's Avatar
    Join Date
    Dec 2006
    Location
    London
    Posts
    1,005
    Thanks
    58
    Thanked 10 Times in 10 Posts
    easy now I've only been at this game for 7 months


  • #6
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,628
    Thanks
    0
    Thanked 648 Times in 638 Posts
    What is each field supposed to contain. Validate that the content of the field makes sense for what the field is supposed to be. For example someone's name can contain letters, spaces, hyphens, single quotes etc but can't contain numbers or less than or greater than signs. Applying appropriate validation to each field passed against what sort of content is valid for that field is not only more secure than simply using a couple of standard functions to make sure that what is entered as content is treated as content and can't update the code but it also avoids your storing data for a person named >"><ScRiPt&#37;20%0a%0d>alert(39490.5803280903)%3B</ScRiPt> and allows you to tell the person that they entered the wrong value as you need their name and not a string of garbage.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #7
    New Coder
    Join Date
    Dec 2007
    Posts
    96
    Thanks
    8
    Thanked 1 Time in 1 Post
    I think thats true ,the whole site is validated with escapeString function, and there was no problem until I tried to use it. all pages now have errors and some texts cant be diplayed although they have no special charecters just letters and numbers.
    does htmlspecialchars() will do the job?
    any other help?
    Last edited by skmd; 01-10-2008 at 10:10 PM.

  • #8
    Senior Coder nikos101's Avatar
    Join Date
    Dec 2006
    Location
    London
    Posts
    1,005
    Thanks
    58
    Thanked 10 Times in 10 Posts
    htmlspecialchars() is good for preserving html code in the database.


  • #9
    Senior Coder
    Join Date
    Jan 2007
    Posts
    1,648
    Thanks
    1
    Thanked 58 Times in 54 Posts
    I did a scan for my site with "Acunetix Web Vulnerability Scanner"
    Don't use a tool like that.

    Use common sense, read through security tutorials and know what openings are possible in PHP. Tools like that make your programming mind lazy.

  • #10
    New Coder
    Join Date
    Dec 2007
    Posts
    96
    Thanks
    8
    Thanked 1 Time in 1 Post
    Im wondering why not??
    of course before you start programming something u must read security tutorials and you will cover most of it while u programming, but you will never know all the possible security holes to cover it .
    so I dont mind to use it just to make sure everything is ok . specially that im new in php.

    when I used htmlspecialchars it did as strip_tags() did !!
    any other help?

  • #11
    New Coder
    Join Date
    Dec 2007
    Posts
    96
    Thanks
    8
    Thanked 1 Time in 1 Post
    Here is my new function, but still the hack code can pass it: (see the attachment )
    PHP Code:
    function EscapeString($text){
    $text =  strip_tags($text);
        
    $text htmlentities($text,ENT_NOQUOTES"UTF-8");
        
       
            
    $text mysql_real_escape_string($text);
       
        
    $text htmlspecialchars($text);
        return 
    $text 
    What can I do ? any idea will be appreciate it.
    Attached Thumbnails Attached Thumbnails Vulnerables in $_POST-untitled.jpg  
    Last edited by skmd; 01-11-2008 at 08:41 PM.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •