Gammon Forum
![[Folder]](/images/open_folder.gif)
Entire forum
Forum
Announcements
![[Subject]](/images/open_subject.gif)
Patch to stop cross-site scripting (XSS) has been done
|
Patch to stop cross-site scripting (XSS) has been done
|
Postings by administrators only.
![[Refresh]](/images/refresh.gif)
Refresh page
| Posted by
| Nick Gammon
Australia (22,975 posts) ![[Biography]](/images/bio.gif) bio
Forum Administrator |
| Date
| Sun 04 Feb 2018 02:22 AM (UTC) Amended on Sun 04 Feb 2018 06:19 AM (UTC) by Nick Gammon
|
| Message
| I was advised that this site was vulnerable to certain XSS attacks.
See Cross-site scripting - Wikipedia
This has now been patched to eliminate this threat.
Although all user input was carefully validated, the actual URL used to access a particular page was not validated, per se. For example:
www.gammon.com.au/forum/?id=14156&page=999
In this example the "id" of 14156 and the "page" of 999 were validated to contain reasonable characters (eg. numbers in this case) and not exceed a reasonable length.
However the actual URL itself is contained in a PHP variable called $PHP_SELF which means "the URL of the current page". In places, this was used to generate links to other pages. The attack came by appending extra text to the URL, like this:
www.gammon.com.au/forum/?id=14156<!'/*!"/*!\'/*\"/*--!><svg/onload=prompt(/ATTACK!/)>
What this did was, when $PHP_SELF was used, was to terminate the quoted URL, and then drop into other code (the "svg" stuff). Since that would be embedded in a page from a trusted server (this server) then someone could trick your browser into executing arbitrary code.
The nature of the attack would be:
- Alice would tell Bob (or post a link on a page under Alice's control): "Hey, check out this interesting site!" - including a URL with the attack vector at the end.
- Bob would visit the site. The attacking code would be echoed back as part of the $PHP_SELF, which would cause undesirable things to happen on Bob's computer.
Personally I am using NoScript - an extension for Firefox which catches such XSS scripting attempts.
Even though this site should be impervious to such attacks in the future, apparently there are a lot of sites which are still vulnerable. I recommend you install NoScript to help catch people attempting to sneak scripts into your browser. |
- Nick Gammon
www.gammon.com.au, www.mushclient.com | ![[Go to top]](/images/gototop.gif) top |
|
The dates and times for posts above are shown in Universal Co-ordinated Time (UTC).
To show them in your local time you can join the forum, and then set the 'time correction' field in your profile to the number of hours difference between your location and UTC time.
7,405 views.
Postings by administrators only.
Refresh page
top
Quick links:
MUSHclient.
MUSHclient help.
Forum shortcuts.
Posting templates.
Lua modules.
Lua documentation.
Information and images on this site are licensed under the Creative Commons Attribution 3.0 Australia License unless stated otherwise.
![[Home]](/images/home.gif)
![[Downloads]](/images/downloads.gif){kind=small}
![[Search]](/images/search.gif){kind=small}
![[Help/forum]](/images/forum.gif){kind=small}
![[RH click to get RSS URL]](/images/xml.gif){kind=small}
Forum RSS feed ( https://gammon.com.au/rss/forum.xml )
![[Best viewed with any browser - 2K]](/images/anybrowser2.gif "Best viewed with any browser"){kind=small}
![[Hosted at HostDash]](/images/hostdash_logo.png "Hosted at HostDash"){kind=logo}