hack script and forms

Discussion in 'Javascript' started by steve, Dec 3, 2003.

  1. steve

    steve Guest

    Hi all

    what is it about that some one can paste script in the form field and
    submit the form and than what?

    can some one open my ice about that
    I like to know the bead and the good things about it

    Thanks
     
    steve, Dec 3, 2003
    #1
    1. Advertising

  2. steve

    Brian Guest

    "steve" <> wrote in message
    news:bqjil0$qqe$...
    > Hi all
    >
    > what is it about that some one can paste script in the form field and
    > submit the form and than what?
    >
    > can some one open my ice about that
    > I like to know the bead and the good things about it
    >
    > Thanks
    >
    >


    Hmmmm... I am guessing that this is a poor translation, because I have no
    idea what you are asking... sorry.
     
    Brian, Dec 3, 2003
    #2
    1. Advertising

  3. steve

    Lee Guest

    Brian said:
    >
    >
    >"steve" <> wrote in message
    >news:bqjil0$qqe$...
    >> Hi all
    >>
    >> what is it about that some one can paste script in the form field and
    >> submit the form and than what?
    >>
    >> can some one open my ice about that
    >> I like to know the bead and the good things about it
    >>
    >> Thanks
    >>
    >>

    >
    >Hmmmm... I am guessing that this is a poor translation, because I have no
    >idea what you are asking... sorry.


    I think he was trying to be clever.
    open my ice = "open my eyes".
     
    Lee, Dec 3, 2003
    #3
  4. steve

    Brian Guest

    "Lee" <> wrote in message
    news:...
    > Brian said:
    > >
    > >
    > >"steve" <> wrote in message
    > >news:bqjil0$qqe$...
    > >> Hi all
    > >>
    > >> what is it about that some one can paste script in the form field and
    > >> submit the form and than what?
    > >>
    > >> can some one open my ice about that
    > >> I like to know the bead and the good things about it
    > >>
    > >> Thanks
    > >>
    > >>

    > >
    > >Hmmmm... I am guessing that this is a poor translation, because I have no
    > >idea what you are asking... sorry.

    >
    > I think he was trying to be clever.
    > open my ice = "open my eyes".
    >


    Yeah, I read it that way... I still dont know what he is asking, and it is
    likely the case for the other readers of this group.

    Brian
     
    Brian, Dec 3, 2003
    #4
  5. steve

    Lee Guest

    Brian said:
    >
    >
    >"Lee" <> wrote in message
    >news:...
    >> Brian said:
    >> >
    >> >
    >> >"steve" <> wrote in message
    >> >news:bqjil0$qqe$...
    >> >> Hi all
    >> >>
    >> >> what is it about that some one can paste script in the form field and
    >> >> submit the form and than what?
    >> >>
    >> >> can some one open my ice about that
    >> >> I like to know the bead and the good things about it
    >> >>
    >> >> Thanks
    >> >>
    >> >>
    >> >
    >> >Hmmmm... I am guessing that this is a poor translation, because I have no
    >> >idea what you are asking... sorry.

    >>
    >> I think he was trying to be clever.
    >> open my ice = "open my eyes".
    >>

    >
    >Yeah, I read it that way... I still dont know what he is asking, and it is
    >likely the case for the other readers of this group.


    Oh. I understood the poorly-written question immediately, but my
    first impression had been that "open my ice" was a mistranslation,
    so I assumed that it was what was confusing you, too.

    He seems to be asking if it's true that a badly written server-side
    script can be coerced into executing code entered into form fields.

    Yes. He should read up on web server security.
     
    Lee, Dec 3, 2003
    #5
  6. steve

    620 Guest

    "Brian" <> wrote in message
    news:3fce1be9$1@10.10.0.241...
    >
    > "Lee" <> wrote in message
    > news:...
    > > Brian said:
    > > >
    > > >
    > > >"steve" <> wrote in message
    > > >news:bqjil0$qqe$...
    > > >> Hi all
    > > >>
    > > >> what is it about that some one can paste script in the form field

    and
    > > >> submit the form and than what?
    > > >>
    > > >> can some one open my ice about that
    > > >> I like to know the bead and the good things about it
    > > >>
    > > >> Thanks
    > > >>
    > > >>
    > > >
    > > >Hmmmm... I am guessing that this is a poor translation, because I have

    no
    > > >idea what you are asking... sorry.

    > >
    > > I think he was trying to be clever.
    > > open my ice = "open my eyes".
    > >

    >
    > Yeah, I read it that way... I still dont know what he is asking, and it is
    > likely the case for the other readers of this group.
    >
    > Brian
    >
    >


    ....in other words, what's this I hear about people putting script (i.e.,
    "var x = 0 / 0;") into the textbox of a form and submitting the form. What
    happens thereafter, someone explain it to me, and what are the good and...
    bead things about it.

    And the answer is:

    In order to open the Closed Eye of the Ice Demon, you'll need a Bottled Fire
    Elemental (get that in the linux/apache ng). Once the Eye is open, you take
    your Beads of the Deliquent Monk that you get in this ng and wrap them
    around the Ancient Staff of Warding (I have no idea where you get an ASoW
    these days, check google). Once the Beads are on the Staff, a localised
    blaze will ignite on the staff, about 3/4 of the way up. Let it burn itself
    out. A charred, round depression (socket) will be left. Put the Open eye
    into the charred socket. This creates the Visionary Staff of Deliquency.
    Come back and see me after you've obtained the staff and I'll show you how
    to smite a form with it.
     
    620, Dec 3, 2003
    #6
  7. steve

    Brian Guest

    "Lee" <> wrote in message
    news:...
    > Brian said:
    > >
    > >
    > >"Lee" <> wrote in message
    > >news:...
    > >> Brian said:
    > >> >
    > >> >
    > >> >"steve" <> wrote in message
    > >> >news:bqjil0$qqe$...
    > >> >> Hi all
    > >> >>
    > >> >> what is it about that some one can paste script in the form field

    and
    > >> >> submit the form and than what?
    > >> >>
    > >> >> can some one open my ice about that
    > >> >> I like to know the bead and the good things about it
    > >> >>
    > >> >> Thanks
    > >> >>
    > >> >>
    > >> >
    > >> >Hmmmm... I am guessing that this is a poor translation, because I have

    no
    > >> >idea what you are asking... sorry.
    > >>
    > >> I think he was trying to be clever.
    > >> open my ice = "open my eyes".
    > >>

    > >
    > >Yeah, I read it that way... I still dont know what he is asking, and it

    is
    > >likely the case for the other readers of this group.

    >
    > Oh. I understood the poorly-written question immediately, but my
    > first impression had been that "open my ice" was a mistranslation,
    > so I assumed that it was what was confusing you, too.
    >
    > He seems to be asking if it's true that a badly written server-side
    > script can be coerced into executing code entered into form fields.
    >
    > Yes. He should read up on web server security.
    >


    Oh, in that case, the poster should stop being cute, and get to the point.
    Basically, the answer is yes... it is very easy to screw with a badly
    written server-side script.

    For instance, let's say your script does something like:

    exec("SomeShellFunction " + formValue + " someParamater");

    and the user enters : something ; cat /etc/passwd | sendmail
    ;

    That is a very simple example of making a mess, and finding all of the users
    on the server :)

    A good way to _start_ to prevent it, is to do some server-side variable
    checking, and stripping illegal characters, such as ";`'@$ etc.

    B
     
    Brian, Dec 3, 2003
    #7
  8. steve

    steve Guest

    > >> >> Hi all
    > >> >>
    > >> >> what is it about that some one can paste script in the form

    field and
    > >> >> submit the form and than what?
    > >> >>
    > >> >> can some one open my ice about that
    > >> >> I like to know the bead and the good things about it
    > >> >>
    > >> >> Thanks
    > >> >>
    > >> >>
    > >> >
    > >> >Hmmmm... I am guessing that this is a poor translation, because

    I have no
    > >> >idea what you are asking... sorry.
    > >>
    > >> I think he was trying to be clever.
    > >> open my ice = "open my eyes".
    > >>

    > >
    > >Yeah, I read it that way... I still dont know what he is asking,

    and it is
    > >likely the case for the other readers of this group.

    >
    > Oh. I understood the poorly-written question immediately, but my
    > first impression had been that "open my ice" was a mistranslation,
    > so I assumed that it was what was confusing you, too.
    >
    > He seems to be asking if it's true that a badly written server-side
    > script can be coerced into executing code entered into form fields.
    >
    > Yes. He should read up on web server security.


    Sorry about my English
    I did not try to be clever, I just wont to know as Lee gas how does
    that work and does it effect the server or the user computer.

    For example I have a web page .html with a form in site using form to
    mail function.
    What script can some body use to harm me or the server.
    How can I protect myself from such scripts
    and on the other hand
    How can I use such script to harm somebody's computer or a server.

    Thanks and I hope that you guys understand my English
     
    steve, Dec 3, 2003
    #8
  9. steve

    Lee Guest

    steve said:

    >Sorry about my English


    Sorry about guessing incorrectly.

    >I did not try to be clever, I just wont to know as Lee [guess] how does
    >that work and does it effect the server or the user computer.


    The server.

    >For example I have a web page .html with a form in site using form to
    >mail function.
    >What script can some body use to harm me or the server.
    >How can I protect myself from such scripts


    If you're using a form to mail function provided by your ISP or some
    other site, then you (and they) should be safe. People don't usually
    have much need to write their own, so I'm assuming that's the case.
     
    Lee, Dec 3, 2003
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. cr88192
    Replies:
    3
    Views:
    580
    cr88192
    Sep 7, 2005
  2. Ian Rutgers

    Voice Family Hack and IE 6

    Ian Rutgers, Jun 7, 2006, in forum: HTML
    Replies:
    4
    Views:
    2,780
    Ian Rutgers
    Jun 7, 2006
  3. Eric
    Replies:
    2
    Views:
    596
  4. Butch
    Replies:
    5
    Views:
    194
    Trent Curry
    Feb 18, 2004
  5. script tag hack

    , Mar 7, 2006, in forum: Javascript
    Replies:
    1
    Views:
    80
    Jonas Raoni
    Mar 7, 2006
Loading...

Share This Page