Sign in to follow this  
Cygnus_X

[web] Server Vulnerabilities

Recommended Posts

I was running a program against my server called Nikto, which is suppose to spot security issues with your website... and it produced the following message: /index.php?top_message=<script>alert(document.cookie)</script> - Led-Forums allows any user to change the welcome message, and it is vulnerable to Cross Site Scripting (XSS). CA-2000-02. (GET) I'm not sure what it means, but I figured it looked serious enough to ask the question here.

Share this post


Link to post
Share on other sites
From what I can see, I'd guess the problem is that you aren't "safifying" the welcome message contents. If someone gives you a welcome message that's just "hi" it's all well and good, but what happens if they were to enter "DROP TABLE users" or something? If you aren't escaping/safifying your input, you're vulnerable to having a malicious user do something like that.

Share this post


Link to post
Share on other sites
SQL insertion is not the threat. As already stated, cross site scripting is. Cross site scripting is when someone else (bad person) is able to run javascript in the context of your website (either through a browser flaw, or because you let them do it though posting). Since the browser will think the javascript belongs to your site, it will have access to read and write any cookies your site stored on the users computer.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this