Sborg's xss vulnerability
- Thread starter masterb56
- Start date
- Status
5 comments
Dean2k offcorse you get a 404 error, you are meant to replace domain.com with YOUR sBorg (sub)domain.
As of masterb56's post, I'm not much of a PHP expert, but as far as I know echo() will only echo the text/code within the message to the html source, meaning if you ware to send a PHP code, it wouldn't be executed. On the other hand, it may be possible to manipulate the HTML, by sending wrong/malicious HTML/JAVA code, but it don't be saved it will only be visible once when the message is sent.
right?
As of masterb56's post, I'm not much of a PHP expert, but as far as I know echo() will only echo the text/code within the message to the html source, meaning if you ware to send a PHP code, it wouldn't be executed. On the other hand, it may be possible to manipulate the HTML, by sending wrong/malicious HTML/JAVA code, but it don't be saved it will only be visible once when the message is sent.
right?
Yes this could be a problem is someone is a genius..
Let me put it like this.. Each message has a id.. The id is randomized.. So once the id is made it is encoded into base64.. Base 64 can be decoded but whos gonna sit there and try to figure out the id number..
It would take years to delete a message xD..
Let me put it like this.. Each message has a id.. The id is randomized.. So once the id is made it is encoded into base64.. Base 64 can be decoded but whos gonna sit there and try to figure out the id number..
It would take years to delete a message xD..
In PHP codes, eval = BAD, echo = OK.
Echo means you are outputting data to user. So yes, you can pass javascript codes to user through it. But would anyone care explain why I would click on MY sBorg link if it looks like
I mean just the link looks suspecious enough not to click, specially when i know my sBorg url is
Btw, yes, you can edit your index page's html and PHP codes so you can make what ever changes you like to it (which is much more dangerous then a simple echo statement that requires the user to click on a suspecious link!)
.
Echo means you are outputting data to user. So yes, you can pass javascript codes to user through it. But would anyone care explain why I would click on MY sBorg link if it looks like
Code:
http://somik.a.sborg.us/sborg/index.php?del_msg=PHNjcmlwdD5hbGVydCgneHNzJyk7PC9zY3JpcHQ+I mean just the link looks suspecious enough not to click, specially when i know my sBorg url is
Code:
http://somik.a.sborg.us/sborg/Btw, yes, you can edit your index page's html and PHP codes so you can make what ever changes you like to it (which is much more dangerous then a simple echo statement that requires the user to click on a suspecious link!)
.
- Status