Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: php http exploit method - pbsync hack question
Top Forums Shell Programming and Scripting php http exploit method - pbsync hack question Post 302239878 by era on Wednesday 24th of September 2008 03:34:21 PM
Old 09-24-2008
That's a cross-site scripting vulnerability at its finest. Are you asking how to prevent this on a design level? Never trust user-supplied data.

It's not clear what values for p you want to continue to allow, but the basic principle should be "deny everything except a well-known set" and so a simple implementation would be to default to accueil.html unless p is one from a small set of other pages you want to allow. (A simple but, on the face of it, reasonably safe generalization would be to only allow values for p which do not contain any slash, encoded or otherwise. But "encoded or otherwise" can constitute a large security hole, too. Are you sure you know all the ways a slash could end up as the result of URL parsing?)
 

6 More Discussions You Might Find Interesting

1. IP Networking

Wireshark TCP and HTTP question.

Hello all. This is my first post and thank you for your forum. Here is my question. I have a simple setup at home and I was capturing some data with wireshark. Data between a workstation and the web server, requesting a page. Simple enough. Now when I open wireshark, I apply the TCP... (4 Replies)
Discussion started by: squaresphere
4 Replies

2. Shell Programming and Scripting

sending http url through http socket programming..

hi am senthil am developing a software to send and receive SMS using HTTP connection first of all am forming a URL and sending that URL to a remote server using my Client Program i send that url through Socket(using Send() Function) if i send more than one URL one by one using the same... (4 Replies)
Discussion started by: senkerth
4 Replies

3. Programming

Need a help in automating the http authenticated web page - via PHP scripting

Hi all, Need a help in PHP scripting. Am automating a process in web page. The process is 1. i have to open that web page using the user credentials (Username and password). 2. select a drop down and click submit button. 3. Then check for the status of the page. Please help me how to... (1 Reply)
Discussion started by: vidhyaS
1 Replies

4. Web Development

HTTP Headers Reference: HTTP Status-Codes

Hypertext Transfer Protocol -- HTTP/1.1 for Reference - HTTP Headers 10 Status Code Definitions Each Status-Code is described below, including a description of which method(s) it can follow and any metainformation required in the response. (1 Reply)
Discussion started by: Neo
1 Replies

5. Solaris

HTTP Debugging Method

Hi, I need to disable HTTPD debugging method in one server. I added the entry 'TraceEnable off' in /etc/apache/httpd.conf. I restart httpd for the changes to take effect, however I realize now that httpd is actually 'disabled'. When I try to enable httpd, it shows the status as being in... (1 Reply)
Discussion started by: anaigini45
1 Replies

6. Shell Programming and Scripting

awk script to find time difference between HTTP PUT and HTTP DELETE requests in access.log

Hi, I'm trying to write a script to determine the time gap between HTTP PUT and HTTP DELETE requests in the HTTP Servers access log. Normally client will do HTTP PUT to push content e.g. file_1.txt and 21 seconds later it will do HTTP DELETE, but sometimes the time varies causing some issues... (3 Replies)
Discussion started by: Juha
3 Replies

LEARN ABOUT SUSE

hack

HACK(6) 							 BSD Games Manual							   HACK(6)

NAME

     hack -- exploring The Dungeons of Doom

SYNOPSIS

     hack [-d directory] [-n] [-u playername]
     hack [-d directory] [-s] [-X] [playername ...]

DESCRIPTION

     hack is a display oriented dungeons & dragons-like game.  Both display and command structure resemble rogue.  (For a game with the same
     structure but entirely different display - a real cave instead of dull rectangles - try Quest.)

     To get started you really only need to know two commands.	The command ? will give you a list of the available commands and the command /
     will identify the things you see on the screen.

     To win the game (as opposed to merely playing to beat other people's high scores) you must locate the Amulet of Yendor which is somewhere
     below the 20th level of the dungeon and get it out.  Nobody has achieved this yet and if somebody does, he will probably go down in history
     as a hero among heroes.

     When the game ends, either by your death, when you quit, or if you escape from the caves, hack will give you (a fragment of) the list of top
     scorers.  The scoring is based on many aspects of your behavior but a rough estimate is obtained by taking the amount of gold you've found in
     the cave plus four times your (real) experience.  Precious stones may be worth a lot of gold when brought to the exit.  There is a 10%
     penalty for getting yourself killed.

     The administration of the game is kept in the directory specified with the -d option, or, if no such option is given, in the directory speci-
     fied by the environment variable HACKDIR, or, if no such variable exists, in the current directory.  This same directory contains several
     auxiliary files such as lockfiles and the list of topscorers and a subdirectory save where games are saved.  The game administrator may how-
     ever choose to install hack with a fixed playing ground, usually /var/games/hack.

     The -n option suppresses printing of the news.

     The -u playername option supplies the answer to the question "Who are you?".  When playername has as suffix one of -T, -S, -K, -F, -C, or -W,
     then this supplies the answer to the question "What kind of character ... ?".

     The -s option will print out the list of your scores.  It may be followed by arguments -X where X is one of the letters C, F, K, S, T, W to
     print the scores of Cavemen, Fighters, Knights, Speleologists, Tourists or Wizards.  It may also be followed by one or more player names to
     print the scores of the players mentioned.

AUTHORS

     Jay Fenlason (+ Kenny Woodland, Mike Thome and Jon Payne) wrote the original hack, very much like rogue (but full of bugs).
     Andries Brouwer continuously deformed their sources into the current version - in fact an entirely different game.

FILES

     hack		       The hack program.
     data, rumors	       Data files used by hack.
     help, hh		       Help data files.
     record		       The list of topscorers.
     save		       A subdirectory containing the saved games.
     bones_dd		       Descriptions of the ghost and belongings of a deceased adventurer.
     xlock.dd		       Description of a dungeon level.
     safelock		       Lock file for xlock.
     record_lock	       Lock file for record.

ENVIRONMENT

     USER or LOGNAME	       Your login name.
     HOME		       Your home directory.
     SHELL		       Your shell.
     TERM		       The type of your terminal.
     HACKPAGER, PAGER	       Pager used instead of default pager.
     MAIL		       Mailbox file.
     MAILREADER 	       Reader used instead of default (probably /usr/bin/mail).
     HACKDIR		       Playground.
     HACKOPTIONS	       String predefining several hack options (see help file).

     Several other environment variables are used in debugging (wizard) mode, like GENOCIDED, INVENT, MAGIC and SHOPTYPE.

BUGS

     Probably infinite.  Mail complaints to mcvax!aeb .

BSD
								  March 31, 1985							       BSD
All times are GMT -4. The time now is 08:15 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy