 |
 |
 |
 |
|
|
Date: 02/28/01
- Next message: Spruce Weber: "Re: [phplib-dev] possible solution for "data missing" error?"
- Previous message: Daniel Naber: "[phplib-dev] possible solution for "data missing" error?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
with PHP lib 7.2b (and it seems no different in CVS) there's a cross site
scripting attack possible.
Anyone can use such a link to break out of the input field:
http://server/home.php?username=X">YYY
(home.php needs to be a page that's protected with my_Auth)
This is a problem since any code, escpecially javascript code, can then be
placed on the page. This can be used to get a user's password.
More general information is here:
http://www.cert.org/advisories/CA-2000-02.html
The attached patch is supposed to fix the problem for crloginform.ihtml.
It would be great if someone with CVS write access could check + apply it
(also for at least the other login form file. I don't know about other
places, since I'm not so familiar with PHP lib).
Regards
Daniel
-- Daniel Naber, Paul-Gerhardt-Str. 2, 33332 Guetersloh, Germany Tel. 05241-59371, Mobil 0170-4819674
- text/plain attachment: phplib-scripting.diff
--------------------------------------------------------------------- To unsubscribe, e-mail: phplib-dev-unsubscribe <email protected> For additional commands, e-mail: phplib-dev-help <email protected>
- Next message: Spruce Weber: "Re: [phplib-dev] possible solution for "data missing" error?"
- Previous message: Daniel Naber: "[phplib-dev] possible solution for "data missing" error?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]