|
Title: XSS my Regular Expression for Textarea Post by: rdivilbiss on August 14, 2007, 07:53:24 PM http://www.cafesong.com/test/testTextAreaReflectedXSS.php (http://www.cafesong.com/test/testTextAreaReflectedXSS.php)
</textarea><script>alert('xss')</script> almost works. Title: Re: XSS my Regular Expression for Textarea Post by: CrYpTiC_MauleR on August 14, 2007, 11:13:08 PM O.O PHP Fatal error displaying
Title: Re: XSS my Regular Expression for Textarea Post by: rdivilbiss on August 15, 2007, 06:00:54 AM I don't understand...you got an error, if so how? Or was the page down.
Title: Re: XSS my Regular Expression for Textarea Post by: GrandSchtroumpf on August 16, 2007, 04:38:12 AM Fatal error: Call to undefined function writeformstate() in C:\hosting\webhost4life\member\rdivilbiss\test\testTextAreaReflectedXSS.php on line 176
Title: Re: XSS my Regular Expression for Textarea Post by: rdivilbiss on August 16, 2007, 06:59:32 AM Fatal error: Call to undefined function writeformstate() in C:\hosting\webhost4life\member\rdivilbiss\test\testTextAreaReflectedXSS.php on line 176 I can't duplicate the error in any browser. Is this from just loading the page or as the result of some action on your end. Title: Re: XSS my Regular Expression for Textarea Post by: GrandSchtroumpf on August 16, 2007, 08:58:54 AM I can duplicate the error in all my browsers from just loading the page.
I also got errors in your form page when you first posted your CSS question: http://www.cafesong.com/cafe-song/employment/application-form.php That page works fine now. Did you fix it or do pages just require some time to fix themselves? Perhaps some caching mechanism? Title: Re: XSS my Regular Expression for Textarea Post by: rdivilbiss on August 16, 2007, 11:43:20 AM As far as I recall I didn't change anything after posting, but it is possible that something changed after my first post.
My main concern was encoded attacks, but I've yet to get one working. < > ( ) are stripped. Encoded attacks so far are getting converted to < etc. when re-written to the text area, and if re-submitted, those are getting stripped. The filter for the text area is much looser than I allow for other form fields. I think I'm fine on the method, but I was feeling a bit paranoid after reading some recent reflective XSS articles. Title: Re: XSS my Regular Expression for Textarea Post by: VGR on September 19, 2007, 10:51:34 AM I get the erroir
Fatal error: Call to undefined function writeformstate() in C:\hosting\webhost4life\member\rdivilbiss\test\testTextAreaReflectedXSS.php on line 176 also, he date displayed above the submit button is "04/01/1970" (epoch-0 based ? WTF is this ? :D ) here's you generated source code : Code: <div id="content"> <h2>“Sign Up Now”</h2> <p>Send me exclusive invitations and coupons!</p> <div id="showForm" style="width: auto; height: 25em;"> <form id="signup" name="signup" action="testTextAreaReflectedXSS.php" onsubmit="return validate(this);" method="post"> <fieldset> <legend>Sign-Up For Free Coupons</legend> <label for="dob">Birthdate: </label><textarea id="dob" name="dob" cols="50" rows="6"></textarea><br><span class="nocss"> Example entry: </span><span class="field-hint">04/01/1970</span><br> <input type="submit" id="submit" name="submit" value="Submit"><br /> <b>Fatal error</b>: Call to undefined function writeformstate() in <b>C:\hosting\webhost4life\member\rdivilbiss\test\testTextAreaReflectedXSS.php</b> on line <b>176</b><br /> Title: Re: XSS my Regular Expression for Textarea Post by: rdivilbiss on September 19, 2007, 09:26:46 PM I get the erroir Fatal error: Call to undefined function writeformstate() in C:\hosting\webhost4life\member\rdivilbiss\test\testTextAreaReflectedXSS.php on line 176 Please tell me the browser/system/etc. si I might replicate. Was this a result of a specific entry you made in the text area? Quote also, [t]he date displayed above the submit button is "04/01/1970" (epoch-0 based ? WTF is this ? :D ) It is a left over example entry and has no meaning or contect in this form. Thank you for looking at it. Title: Re: XSS my Regular Expression for Textarea Post by: GrandSchtroumpf on September 20, 2007, 07:09:02 AM I get the error on Ubuntu in Firefox, Konqueror, Opera and IE6/wine.
How come you don't get the error? There must be something wrong somewhere... This happens very often with your pages. Are we using the same URI? http://www.cafesong.com/test/testTextAreaReflectedXSS.php Are you sure you are not on a local version of the site? My DNS resolves "www.cafesong.com" to "66.226.30.46". How about yours? Title: Re: XSS my Regular Expression for Textarea Post by: VGR on September 20, 2007, 01:03:45 PM true...
fx latest/Win2K SP4 I just opened the page. Didn't even submit the form. (it's not submittable because of the error : unclosed form, body, html, fieldset etc see the html source I posted) see : (http://www.fecj.org/extra/cafesong.jpg) also : C:\>nslookup www.cafesong.com Serveur : dns2.proxad.net Address: 212.27.54.252 R'ponse ne faisant pas autorit'˙: Nom : www.cafesong.com Address: 66.226.30.46 Title: Re: XSS my Regular Expression for Textarea Post by: rdivilbiss on September 23, 2007, 03:43:12 PM I think I corrected the error.
Title: Re: XSS my Regular Expression for Textarea Post by: CrYpTiC_MauleR on September 23, 2007, 09:03:26 PM Looks like its fixed, I don't see the error. Btw what was causing it and know why you were not able to reproduce it?
Title: Re: XSS my Regular Expression for Textarea Post by: VGR on September 25, 2007, 11:18:02 AM confirmation it looks fixed, and same side question :D
Title: Re: XSS my Regular Expression for Textarea Post by: rdivilbiss on September 25, 2007, 11:20:44 AM Looks like its fixed, I don't see the error. Btw what was causing it and know why you were not able to reproduce it? Some kind of caching issue on my laptop maybe. I had a few minutes at work and took a look at it. An included file with the form functions was not being loaded by the page, ergo the writeFormState() was not available.
Powered by SMF 1.1 RC2 |
SMF © 2001-2005, Lewis Media
Joomla Bridge by JoomlaHacks.com |