RE: XSS help

["Mike Andrews" <mike () se fit edu>]

Isn't the more fundamental reason that the code (main PHP page) has already
executed on the server already, so it's going to treat any server-side
scripting (in any language) passed in as data and not code.  Only when using
"eval" or something similar would the execution engine, interpreter, etc, be
activated again.

Cheers,
Mike.


> On Monday 09 August 2004 14:12, Serg B. wrote:
> > Hi All,
> >
> > I am testing a site and came across a scenario where there is a login
> > form displayed on front page with a form heading that is displayed by
> > being passed in, from GET variable by appending it to the URL.
> <snip>
>
> > So this leads me to the next thought. Is it at all possible to
> > execute an arbitrary server side code on the server via this bug?
> >
> > E.g.:
> >    www.mydomain.com/form.php?var=<?php echo 'test' ?>
> >
> > This was unsuccessful since quotes (both ' and ") got escaped. I then
> > tried:
> >    www.mydomain.com/form.php?var=<?php echo 1 ?>
> >
> > Which echoed everything, PHP tags, code, etc (from looking at page
> > source). I also tried to wrap all of this business in JS escape
> > function with no luck.
> >
> > So the question is how I could run PHP (not JavaScript, since that
> > was covered in numerous papers and presentations...) from what I
> > found.