Mailinglist Archive: opensuse (3566 mails)

["Cristian Rodriguez R." <judas_iscariote@xxxxxxxxxxxxx>]

Randall R Schulz escribió:

> 
> You've got to clarify this. I see an HTML form that submits PHP code. 


no, the html form does not submit PHP code, what you are seeing **is**
PHP code mixed with html, that is interpreted on the server.


<form method="post" action="<?php echo $SEVER['PHP_SELF']; ?>">


will be displayed to the user browser as:

<form method="post" action="myscript.php">

where myscript.php is the name of the current script in execution.

in this case, the programmer laziness permits and XSS attack.


http://example.com/myscript.php/%22%3E%3Cscript%3Ealert('xss')%3C/script%3E%3Cfoo

as PHP_SELF contains more than the script name, it contains PATH_INFO
and other stuff, if you really only want the script name.. you have to
use $_SERVER['SCRIPT_NAME'];


> How is that not an avenue for an injection exploit?

it is, but for XSS.

> 
> What is XSS?

XSS == Cross Site Scripting

http://en.wikipedia.org/wiki/Cross_site_scripting