Randall R Schulz escribió:
You've got to clarify this. I see an HTML form that submits PHP code.
no, the html form does not submit PHP code, what you are seeing **is** PHP code mixed with html, that is interpreted on the server. <form method="post" action="<?php echo $SEVER['PHP_SELF']; ?>"> will be displayed to the user browser as: <form method="post" action="myscript.php"> where myscript.php is the name of the current script in execution. in this case, the programmer laziness permits and XSS attack. http://example.com/myscript.php/%22%3E%3Cscript%3Ealert('xss')%3C/script%3E%3Cfoo as PHP_SELF contains more than the script name, it contains PATH_INFO and other stuff, if you really only want the script name.. you have to use $_SERVER['SCRIPT_NAME'];
How is that not an avenue for an injection exploit?
it is, but for XSS.
What is XSS?
XSS == Cross Site Scripting http://en.wikipedia.org/wiki/Cross_site_scripting