Determining XSS Attack Vulnerabilities?

In the e-mail form, you echo back invalid e-mail addresses that were submitted without escaping them. Change this line.

In the e-mail form, you echo back invalid e-mail addresses that were submitted without escaping them. Change this line: echo '"' . $address .'" is not a valid email address.

Please try again. '; to echo '"' . Htmlspecialchars($address) .

'" is not a valid email address. Please try again.

– Dave Kiss Feb 23 '10 at 21:12 1 Nope, it can't. This kind of insertion is a non-persistent XSS (en.wikipedia.org/wiki/Cross-site_scripting#Non-persistent) and only affects the user that sent the request. Yours is nastier ;)!

– Wookai Feb 23 '10 at 21:23 2 I'm going to go with Wookai and posit that the attacker got one of his scripts on your server. Also, including a file whose path you obtain by concatenating "inc/", the GET variable "page" and ".inc. Php" is asking for trouble.

If your PHP code is in /home/dave and mine is in /home/eric, I could open up one of your pages with "page=../../eric/evil_script" in the query string and make your page include my evil_script.inc. Php file. – ArIck Feb 23 '10 at 21:33 Arick, Based on your recommendation, I check my php error_log and found some peculiar errors.... 11-Dec-2009 00:38:56 PHP Warning: include(inc//../../../../../../var/log/apache2/access.

Log) : failed to open stream: No such file or directory in /home......../index2 copy. Php on line 137 Do you have suggestions on how I may be able to validate the input, or a different approach? – Dave Kiss Feb 23 '10 at 21:44 1 In general, you want to just have a whitelist of approved files to include and go off of that.

Change the URLs so that 'page' is just some number from 0 to (number of pages - 1). Change how you include the page by declaring an array with the names of the files (we'll call it $MY_PAGES), then include($MY_PAGES$_GET"page"). – ArIck Feb 23 '10 at 22:03.

After a quick look, it seems that the only place where you display untrusted data is in the comments. And you used htmlspecialchars, which sould prevent any html code to be interpreted. You say that the malicious code is at the bottom of your page.

Maybe the attacker found a way to upload and include his script directy on your server? What does the included code look like? Is it JavaScript, HTML?

The XSS is a javascript insertion that uses document. Write to to insert an iframe which sources from an external malicious site. The only includes I use are via php: – Dave Kiss Feb 23 '10 at 20:57 Ok.Is the JS code in the middle of your comments section, or is it somewhere else?

In the latter case, the problem may not come from the code you posted. – Wookai Feb 23 '10 at 21:07 The JS code shows up at the very bottom of the index. Php page, not in the middle of the comments – Dave Kiss Feb 23 '10 at 21:09 In this case, I'd say that your files were somehow compromised.

If you look at your template/PHP file that generates the page, is there anything? Maybe the attacker is using a . Htacces to automatically append some code to all your php scrips?

Is it present on all pages or only the commend page? – Wookai Feb 23 '10 at 21:24 The code is only present on the index page which is a barebones file including elements from various files to build the page.. I've changed my account password in the past to something much more secure to no avail..i'm not sure about . Htaccess, but i'd assume thats something where the attacker would need account access?

– Dave Kiss Feb 23 '10 at 21:31.

This is not an answer, and not good news, but I did see something very similar to what you described in an example in the rather disturbing video ad from Symantec, "Zeus: King of the Crimeware Toolkits" at Youtube: youtube.com/watch?v=hfjPO8_pGIk It's worth seeing the video in any case. I have no connection with Symantec.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.