Paid Advertising
web application security lab

XSS strikes canned PHP again

I got into a really funny argument with a security guru about if PHP was a good language or not. It’s a really inane argument if you ask me, and honestly I was just trying to get a rise out of him (it worked) but after it was all said and done and I told him I was kidding, I really started to think about it. What’s the difference between low and high level languages?

Well that’s way too big and boring a topic. It’s sure to get everyone all upset and religious - talking about the minutia and pedantic. I happen to be agnostic, personally… the right tools for the right job. But there is a good point in all of it, which is who uses the tools? PHP to me is no different than JavaScript to code. It takes very little expertise to know and use it at the functional level. I can’t tell you how many resumes I’ve seen where people say they know PHP but can’t even tell me how to write a loop.

Okay, but who does use it? For the most part people are using canned scripts, like my personal favorite to bash on, PHP-Nuke. Btw, try_og found yet another hole in PHP nuke today. But it goes beyond just that one application.

Luny found another XSS vulnerability in iFoto today. This one is worth mentioning because it doesn’t use HTML or URL escaping, but rather it uses base64 encoding. This is really interesting because one thing I didn’t enumerate on in the XSS Cheat Sheet calculator is that every single vector should be encoded with every encoding method to test properly. What a pain, huh?

Anyway, these canned scripts are dream for auditors. They often point to bigger issues (often reflection and stored XSS attacks are SQL injection flaws as well, and in a few cases I’ve seen problems that were caused because it was trying to execute a program that didn’t exist that I was injecting… oops!).

Actually one of the funniest things that has happened to me during my auditing adventures was when I inadvertantly brought down a system by injecting XSS inadvertantly through my user agent. It was calling some sort of resource and boom! I wouldn’t recommend changing your User Agent to anything other than raw text. You’d be surprised how many applications have custom logging logic and how many of them can’t handle XSS and SQL Injection attempts properly.


Comments are closed.