So I made a landing page for all these forms that the marketing department at my work makes. One of the fields they pass is a URL that I redirect to after I'm done processing - a thank you page.
Recently, I discovered a URL that looked like this:
http://www.oursite.com/folder/thank-you.php?thankyou=free-guide&adgroup=<?php echo nfpa-c ?>&reference=<?php echo ?>
Does this amount to anything but the form creator being dumb? My page is throwing huge errors about security and cross-site scripting, etc. What are the implications of this? Is there any legitimate reason to do this?
EDIT/UPDATE:
My landing page is in ASP.NET. The error it mentions is possible cross-site scripting.
<?php echo nfpa-c ?
I don't think it's the poster being dumb - this looks more like an outgoing form was not setup properly (e.g. PHP instructions used in a .html page that doesn't get parsed by the PHP interpreter.)
Check out the originating forms and look into their source code.
There is no legitimate reason to pass PHP code on the url like this. In fact it would be a Remote Code Execution Vulnerability, which is as bad as it gets its like like saying "Check Mate". I would make sure that that you don't have this code running, although its likely a bug because in php they would use eval("echo 'nfpa-c'");, you can't eval php tags like that, so its probably untested code.
Related
After realising that my web server wouldn't run php inside my html file I used an iframe which points to my php script.
It works as expected and now my site has a nice little comment form that the user can fill in and submit.
I opted for this instead of changing my hhtpd.conf because I don't think my web host allows it.
So my question is; is there any real danger of doing this? If the comment.php file were to mysteriously disappear an error would appear in my html which wouldn't affect the rest of my code. I can't think of any drawbacks unless there some server overhead I'm unaware of.
Any information would be welcomed.
Cheers!
If they (the html and php files) are located on the same server — should be no danger.
Just to clarify :
If you can 'run' the php in an iFrame, then you're able to run it in the main frame as well. the php that is generated for your iframe could as well be generated for the main frame.
So, no, there is no danger at at, but no, you don't need an iframe, I think you misunderstood somehow how php is working.
There is no php in html, php is (simplified) used in 2 scenarios :
first is to generate html that will be sent to the web browser,
the second is a script, that doesn't render any php but affects some internal files, like databases and such.
<form action="/path/hello.php" name='myForm' method='post'>
<!-- onChange="ajaxFunction();" -->
<input type= "text" name="user" id= "txtname" /><br />
<!-- <input type="text" name="user2" id="txtname2" /> -->
<input type='submit' name = "click" />
</form>
Noweveryone who looks at my html source code will know where this php file is located and will know how to call it. How can i stop this ?
If you handle the POST request to /path/hello.php properly, it shouldn't matter whether someone accesses it manually. Just make sure you are checking for things like the existence of $_POST['click'] and any other POST data you expect to exist, clean it, and proceed as normal.
If someone were to call /path/hello.php with spoofed POST data, then how would that be any different than them submitting your own form? There's no need to modify the script's visibility.
Furthermore, if your fear is that someone would be able to view the source of your PHP scripts--don't. The only thing a user would be able to see if they made an HTTP request to your PHP script would be the rendered HTML.
However, even if they could--why wouldn't you want someone to see your source (of course, barring situations where you might have sensitive configuration data within a PHP file)
You can't stop it. If you're going to tell the browser where the form is, you have to put the address in the HTML somewhere and once you do that anyone can see it.
It really shouldn't make any difference though, as your script should be able to cope with whatever values are sent to it. You can't blindly trust the data from the client in any case, so you need to verify the data sent is what you're expecting - no matter whether that's data sent by filling in your form as normal or someone calling it directly.
I can give a good example for why you would want to do this. You may have a service and offer it to a 3rd party, however in order to make this work there is some important configurable data that may come exposed. Here is an example
You own a website and let's say you want to create some type advertising campaign on your website but your "client" wants to advertise this the same thing on their website but the data needs to go into your email database.
you may not want them to know who you use
those services may require you to add account number or some type of identifying parameter towards your account.
May not be a big deal but still could be a security risk. So if you divert or mask it can prevent some of it.
There is no way to avoid this other than leave off action all together. The form will then submit to the current URL.
In any case, why are you worried about someone accessing the script? If you've written it correctly, no information should be exposed, and, no, they will not know how to "call" it - unless by calling it you mean simply accessing it in the browser. If by simply accessing it in the browser, sensitive information is displayed, you've got some serious problems on your hands.
I think your question is that by showing these paths that people will be able to actually view the source of the php file. That is not possible because it is being rendered by the php engine you are using. You have nothing to fear here.
Sorry, this isn't an answer, but a general observation on this same subject...
I have also experienced this and, seem to know where the OP is coming from...
I have seen a number of large CMS where form "actions" don't show the script... almost as if it points to a "friendly" URL...
Such as <form name="contactform" method="post" action="http://example.com/contact/send-contact">
As can be seen the extension is missing but the form is processed correctly...
I guess the htaccess could hide the extensions but some have a mix of visible URLs for standard pages and some "friendly" URLs for other content (including forms).
I'm not sure how these work...
It is sometimes considered best practice to keep .php files above the root directory to protect against the rare occurrence of php being configured incorrectly on the server and displaying php code to the client.
All you have to do is create a proxy script and post to that. I store the action in a hidden field so that I don't need multiple proxy scripts. I can't post the source code because I would be duplicating my answer on another post. You can find it here: https://stackoverflow.com/a/36941336/2452680
you can first give an action to page1 and in page 1 you can get the data and redirect and post the data to page2.
if you are using phpin page1 you can use curl and options to put data and execute it.
Hi I have a web form that sends a string to one php file which redirects them to a corresponding URL. I've searched about web form hacking and I've only received information about PHP and SQL... my site only uses a single PHP file, very basic etc. Would it be open to any exploits? I'm obviously not going to post the URL, but here is some code I was working on for the php file:
Newbie PHP coding problem: header function (maybe, I need someone to check my code)
Thanks
From that little snippet, I don't see anything dangerous. "Hackers" can enter pretty much anything they want into $_REQUEST['sport'] and thereby $searchsport, but the only place you use it is to access your array. If it's not found in your array.... nothing much will happen. I think you're safe in this limited scenario ;) Just be careful not to use $searchsport for...... just about anything else. Echoing it, or inserting it into a DB is dangerous.
Uh, it really depends. If you are inserting data into a MySQL DB without sanitizing, the answer is a huge yes. This is something you need to decide for yourself if you aren't going to show code.
The solution you've got in the linked question is pretty safe.
Every possible action is hardcoded in your script.
Nothing to worry about.
Though asking for the "web form like this" you'd better to provide a web form. Not the link to the question that contains a code that can be presumed as this form's handler.
i am using form authentication for my website which is written in ASP.Net, but i have a PHP script that i need to run. Is it possible to get the value of User.Identity.Name in PHP ?
thanks.
Yes, if you pass it on to the PHP page using POST or GET (Querystring or Form), meaning getting the value from an ASP page first and then sending it to you PHP page. You can also take a look at this question on Stack Overflow, which offers a different solution.
*Edit: Possible solutions:
Using IIS7 Forms Authentication with PHP files
How to Share Session State Between Classic ASP and ASP.NET
The second one could work for PHP as well with a bit of creativeness.
why don't you just store the User.Identity.Name from the ASP.NET page in a session, and then when you call the PHP page you can just retrieve it from that session?
As long as its the same site, it should work.
Since you mentioned loading the PHP script in an iframe, you want to do something like this:
<iframe src="myscript.php?username=<%= User.Identity.Name %>" />
This passes the Identity name along as a GET parameter, as suggested by Boekwurm.
Then, in your PHP script, grab it like so:
username = $_GET["username"];
Depending on what you're doing with it, you may need some security in place to prevent people from running the PHP script with arbitrary username parameters.
I was wondering, I want to plant a JS tracking code (analytics) in a few websites to track their traffic. But I don't want that when viewing the site's source code people will be able to see that I've embedded the JS tracking code there.
Is it possible? Maybe by using an Apache/PHP trick?
Thanks,
Roy.
Nope it's not possible, for the browser to execute any code at least some of it must be initially visible, even if that code is to then retrieve the tracking code itself.
In addition all the modern web developer tools provide access to any code that is loaded so anyone can use those to see anything you've attempted to load discretely.
The more important question is why you want to hide that you're tracking people?
It's not absolutely possible with Javascript. Javascript always runs in the context of the user's browser, so it always means that the user will have access to see the script. You can obfuscate it, or try some tricks similar to anti-hotlinking on the JS code, but it will still be relatively easy for someone to figure out what the code does with a simple tool like Firebug.
You can, however, track your traffic without JavaScript. Analytics uses JavaScript for portability, and because some of the data it accesses can only be accessed with JavaScript. However, there are more passive ways of tracking your traffic which don't require JavaScript, such as any log analyzer like AWstats. You just don't get some of the cool features of Analytics.
It's not possible, but you could just name your script file something innocent like "mouseover.js".
It's not possible: JS code has to be run by the web browser, which means that -- which ever way you try put it -- it has to be readable by the browser and thus by anyone that inspects the page.
You could try obfuscating the JS, but that won't stop anyone that is determined to see what's happening.
You could ask yourself what the odds are that more than a few people will check whether you're tracking them -- I wouldn't expect it.
You can't technically hide the code... But you can scramble it so it's not readable to anybody. I used http://hivelogic.com/enkoder/form by Dan Benjamin to scrable some JS on my page (in this case I scrambled my email address). It scrambles it so the browser can execute it, but it's not humanly readable...
Then you can just call it as a function like I did in from this script http://www.jamischarles.com/css_js/email_encoder.js. Give it a try.