phpacademy Forum

[dominion]

i can but you will need to give me a few hours i am not at a good computer right now ><

[dominion]

@ wide_load
sorry this took so long to answer here is an example of a simple img using a script to do something to your computer in this case take you ip however it would be easy to send something like a shutdown command or strip all escaped data imput to your database (would be send along with it when you click submit)

http://www.mrdjk.com/playground/attack.jpg

[bowersbros]

Try it. try to restart my PC using that.

[Cags]

The point is, there's undeniable proof that it does allow you to include an iFrame. Within that iFrame it allows whoever doctored/sent out the link to use that iFrame to track people visiting your site with their link, in itself not that dangerous, but it does mean they are getting the IP address and user agent etc. of somebody that they know is visiting your site. In itself not entirely dangerous but still something you should be avoiding where possible. The iFrame can however run client-side code such as JS this will have access to the parent object thus allowing it to manipulate the DOM of your site and/or call your own JS functions. They could make the iFrame the size of the screen and clone your website, thus stealing your users information. Using URL shortening services and redirects they could make it pretty difficult for even somebody that has a vague idea of what they are doing to realise something strange is going on.

[wide_load]

@ wide_load
sorry this took so long to answer here is an example of a simple img using a script to do something to your computer in this case take you ip however it would be easy to send something like a shutdown command or strip all escaped data imput to your database (would be send along with it when you click submit)

http://www.mrdjk.com/playground/attack.jpg

if you can show an example of that i will believe you, because as far as i can see all you can do is XSS, which will not run any scripts on the actual server.

[dominion]

The point is, there's undeniable proof that it does allow you to include an iFrame. Within that iFrame it allows whoever doctored/sent out the link to use that iFrame to track people visiting your site with their link, in itself not that dangerous, but it does mean they are getting the IP address and user agent etc. of somebody that they know is visiting your site. In itself not entirely dangerous but still something you should be avoiding where possible. The iFrame can however run client-side code such as JS this will have access to the parent object thus allowing it to manipulate the DOM of your site and/or call your own JS functions. They could make the iFrame the size of the screen and clone your website, thus stealing your users information. Using URL shortening services and redirects they could make it pretty difficult for even somebody that has a vague idea of what they are doing to realise something strange is going on.

thanks for that at least someone is getting the fact its an issue

@wide_load don't believe me fine look it up i have posted that its an issue what more can i do ? i have shown you links to how it can be used and did try to explain if you wish to know more google is a very nice site to use

@bowersbros i can not do that within the law here so no sorry please use google

[wide_load]

thanks for that at least someone is getting the fact its an issue

@wide_load don't believe me fine look it up i have posted that its an issue what more can i do ? i have shown you links to how it can be used and did try to explain if you wish to know more google is a very nice site to use

i do believe that XSS is an issue, what i don't believe is that the things you say can be done. You cannot remove escaping from an input on the server without editing the php script.

Its not illegal to talk about these things and you have already shown an example of the ip logging thing, so until someone shows how the other things could be done,. i refuse to believe its possible.,

Also i did look it up and found nothing that supports your theory.

[bowersbros]

Also, The only thing that can shutdown is using shell_exec() in which case, that would shut down your server, and not the users PC, also, that would require access to the PHP files, which, your example doesnt give.

So again, i refuse to believe that what you stated can really be done.

[wide_load]

Okay i have looked into this a bit more.

There is a javascript exploit that allows you to execute commands on the users PC, ... in IE 5, it works i was able to shutdown my windows IE 5 virtual machine.

Even that is still javascript.

The suggestion that you could remove escaping from data and perform SQL injection seems to have no weight behind it.