SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Member
    Join Date
    Jan 2013
    Posts
    21
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    what is w.php?css=/mdd/cc-none

    I noticed that someone used such code in adress bar
    w.php?css=/mdd/cc-none
    file (page) name is w.php and someone added code ?css=/mdd/cc-none

    So the question: what is ?css=/mdd/cc-none
    hackers?

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,870
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    It is passing '/mdd/cc-none' into the w.php script in the $_GET['css'] field. If that script doesn't reference that field then it does nothing. If the script does reference the field then it does whatever the script is supposed to do with that field using that value.

    If that field is used then the first step in the code should be validating that it contains a meaningful value for the script to use and so either '/mdd/cc-none' will pass validation because it is a valid value in which case the script will use it or it will fail validation and the script will produce an error.

    The only way a hacker could gain any benefit by entering that would be if the script uses the field and whoever wrote the script neglected to validate it - since it can easily have any value supplied by anyone and so it is absolutely essential that it be validated FIRST before doing anything else with it.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  3. #3
    SitePoint Member
    Join Date
    Jan 2013
    Posts
    21
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you for reply
    I have little knowledges in programming.
    Could you explain what is "to validate script"?
    For example, I use form with various fields.... and someone can insert (inject) some value? How to avoid it? I mean usual form <input type = "text" name = "hours1" id = "hours1" maxlength = "15" value="" onkeyup="this.value = this.value.replace(/,/g,'.')" size="9"></input> Then php $_POST... and script does caculations etc.

  4. #4
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,679
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    riga,

    Validating means that you check the value for something which is expected, i.e., legal as far as your script is concerned.

    From my point of view, I doubt that you are using a w.php script so I'm guessing that you've been hacked and you should investigate that with the help of your host's support group. Also, look at other "you've been hacked" threads here.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  5. #5
    SitePoint Member
    Join Date
    Jan 2013
    Posts
    21
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for answer. So I understand I need to ensure that user can input only allowed values. OK
    Regarding hack I do not think if website / server is hacked.
    Google Webmaster tools reported 174 server (crawl) errors
    Google detected a significant increase in the number of URLs we could not access. It is likely that your server had an internal error or was busy when attempting to process these requests.
    Most of errors was for url like this file-name.php?css=/mdd/cc-none
    If I open the url, I get
    Method Not Implemented

    GET to /external-source-document.php not supported.
    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

  6. #6
    From Italy with love silver trophybronze trophy
    guido2004's Avatar
    Join Date
    Sep 2004
    Posts
    9,509
    Mentioned
    163 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by rigaconnect View Post
    So I understand I need to ensure that user can input only allowed values.
    You can't. A malicious user can always send your script any value he wants.
    What you can (and must) do, is validate the values sent by the user to your script before using them for anything else in the script.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •