Sign in to follow this  

[web] Server Vulnerabilities

This topic is 4091 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

I was running a program against my server called Nikto, which is suppose to spot security issues with your website... and it produced the following message: /index.php?top_message=<script>alert(document.cookie)</script> - Led-Forums allows any user to change the welcome message, and it is vulnerable to Cross Site Scripting (XSS). CA-2000-02. (GET) I'm not sure what it means, but I figured it looked serious enough to ask the question here.

Share this post


Link to post
Share on other sites
From what I can see, I'd guess the problem is that you aren't "safifying" the welcome message contents. If someone gives you a welcome message that's just "hi" it's all well and good, but what happens if they were to enter "DROP TABLE users" or something? If you aren't escaping/safifying your input, you're vulnerable to having a malicious user do something like that.

Share this post


Link to post
Share on other sites
SQL insertion is not the threat. As already stated, cross site scripting is. Cross site scripting is when someone else (bad person) is able to run javascript in the context of your website (either through a browser flaw, or because you let them do it though posting). Since the browser will think the javascript belongs to your site, it will have access to read and write any cookies your site stored on the users computer.

Share this post


Link to post
Share on other sites

This topic is 4091 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this