WebApp Sec mailing list archives
RE: XSS help
From: "Mike Andrews" <mike () se fit edu>
Date: Mon, 9 Aug 2004 12:46:48 -0400
Isn't the more fundamental reason that the code (main PHP page) has already executed on the server already, so it's going to treat any server-side scripting (in any language) passed in as data and not code. Only when using "eval" or something similar would the execution engine, interpreter, etc, be activated again. Cheers, Mike.
On Monday 09 August 2004 14:12, Serg B. wrote:Hi All, I am testing a site and came across a scenario where there is a login form displayed on front page with a form heading that is displayed by being passed in, from GET variable by appending it to the URL.<snip>So this leads me to the next thought. Is it at all possible to execute an arbitrary server side code on the server via this bug? E.g.: www.mydomain.com/form.php?var=<?php echo 'test' ?> This was unsuccessful since quotes (both ' and ") got escaped. I then tried: www.mydomain.com/form.php?var=<?php echo 1 ?> Which echoed everything, PHP tags, code, etc (from looking at page source). I also tried to wrap all of this business in JS escape function with no luck. So the question is how I could run PHP (not JavaScript, since that was covered in numerous papers and presentations...) from what I found.
Current thread:
- XSS help Serg B. (Aug 09)
- Re: XSS help Dan Daggett (Aug 09)
- Re: XSS help David Precious (Aug 09)
- RE: XSS help Mike Andrews (Aug 09)
- Re: XSS help Serg B. (Aug 09)
- RE: XSS help Matt Szubrycht (Aug 09)
- Re: XSS help Blake Schneider (Aug 13)
- unsubsribe Riccardo Tempesta (Aug 17)
- <Possible follow-ups>
- Re: XSS help focus (Aug 09)