Messages posted by: PandA.nl

Carbonize wrote:if (htmlspecialchars($this->url) != "$this->url") { $this->url = ''; }Which basically says if there is any html characters in the url such as <, > or & then it will not accept the url and removes it from the entry.

Maybe I don't understand what's happening, but before I did the strip_tags() this exploit:

http://www.example.com/index.php?entry=<script>alert(document.cookie)</script>

generated a popup and mysql error, and after I added the strip_tags the popup didn't show anymore (still get a mysql error message). So, allthough it might not be harmfull, it does not look like the html is removed!

I noticed, but it weren't [url]'s, but it really were html anchors like <a href="...

edit: oops, I suppose the [url]'s are translated to href's by the script of course. Sorry about that

Aha, thanks for the explanation!

I noticed a strange thing though. I'm using version 2.3.1 i.c.w. PHP 4.3.10 on two guestbooks, HTML disabled, but several times visitors managed to enter url's (spamming type url's) into the messages they added.

This shouldn't be possible is it? I assume <a href="... should be disabled as all other html.

edit: BTW these guestbooks weren't upgraded, so no old files are being used. And, not sure if it's related in anyway but, trying the hack on those guestbooks, a popup appeared (before I added the strip_tags() to the $entry variable, after adding strip_tags() it didn't happen anymore).

Great post amber222, thanks!!!

And what about:
http://www.securityfocus.com/bid/11798/exploit/
(or did you already mention it?)

There's fix/workaround there too.

I added (guestbook/index.php)
after
(2x) and it seems to work

but probably their fix is better (adding $entry = htmlspecialchars ($entry);) since I'm not a programmer

BTW: the exploit seems to work on both 2.2. and 2.3.1