Jump to content
  • Advertisement
Sign in to follow this  
Cygnus_X

[web] Server Vulnerabilities

This topic is 4452 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

I was running a program against my server called Nikto, which is suppose to spot security issues with your website... and it produced the following message: /index.php?top_message=<script>alert(document.cookie)</script> - Led-Forums allows any user to change the welcome message, and it is vulnerable to Cross Site Scripting (XSS). CA-2000-02. (GET) I'm not sure what it means, but I figured it looked serious enough to ask the question here.

Share this post


Link to post
Share on other sites
Advertisement
From what I can see, I'd guess the problem is that you aren't "safifying" the welcome message contents. If someone gives you a welcome message that's just "hi" it's all well and good, but what happens if they were to enter "DROP TABLE users" or something? If you aren't escaping/safifying your input, you're vulnerable to having a malicious user do something like that.

Share this post


Link to post
Share on other sites
SQL insertion is not the threat. As already stated, cross site scripting is. Cross site scripting is when someone else (bad person) is able to run javascript in the context of your website (either through a browser flaw, or because you let them do it though posting). Since the browser will think the javascript belongs to your site, it will have access to read and write any cookies your site stored on the users computer.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

GameDev.net is your game development community. Create an account for your GameDev Portfolio and participate in the largest developer community in the games industry.

Sign me up!