volatileboy Posted March 8, 2011 Share Posted March 8, 2011 Hey people, I was going over an old script of mine the other day and I ran I web vulnerability scanner on it to see how secure it was and I got an XSS warning, now this puzzles me because I am not entirely sure how this affects the script and what can/can't be done, this script is old so I will paste the relevant bits in here, it was playing with the $page variable. What damage could you do and how would you remedy the problem? if(isset($_GET['page'])) { if($_GET['page'] > $numpages) { $page = 1; } else { $page = $_GET['page']; } } else { $page = 1; } echo ('<strong style="margin-top: 4px; margin-left: 3px;">Page ' . $page . ' of ' . $numpages . '</strong></p>'); By putting a non-number in there like hello.php?page=Hello, it simply output the word hello so I am not fully sure what the security implications are and how insecure it really is. Might sound like a dumb question but it's been nagging at me. Thanks for reading! Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted March 8, 2011 Share Posted March 8, 2011 Because you are echoing $page/$_GET['page'] to the visitor, someone could make a link to your site that contains javascript and if they can get someone who is a member of your site (has cookies/session id cookie to your site) to click on that link, the visitor will be taken to your site and the javascript will send the cookie/session id cookie to the hacker. If you are expecting $_GET['page'] to be a number only, you either need to validate that it is only a number or more simply cast it as an integer to remove any non-numeric part. Quote Link to comment Share on other sites More sharing options...
volatileboy Posted March 8, 2011 Author Share Posted March 8, 2011 So as far as damage goes it is limited to a javascript insertion, cookie and session stealing, files cannot be modified, php code inserted or anything like that? Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted March 8, 2011 Share Posted March 8, 2011 Kind of depends on what else you are using $page for in your code. If you are putting it into a sql statement without validating it, someone could be injecting sql and reading all the rows in your user table. Or you could be using it to determine a file name to include and someone is using it to include their remote raw php code and they just took over your site. Or you are putting it into some eval()'ed code (part of a template for example) and someone got their raw php code to run on your site and they just took over your site... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.