[thelist] input type="image" vs. input type="button"

Phil Turmel philip at turmel.org
Thu Aug 24 17:06:32 CDT 2006


Christian Heilmann wrote:
>>>It seems to me you are trying to solve a problem that won't exist ...
>>>once your link looks like this...
>>>
>>>http://example.com/product.php?productid=1
>>>
>>>... Your html ends up like this:
> 
> 
> And you are probably VERY vulnerable to XSS. Wouldn't it be nice to
> just take what someone asks for and give a solution for that?
> 
> Change your FORM to this:
> 
>   <form name="quickform" action="send.php" method="post">
>           <label for="quickpicks">Select a topic:</label>
>           <select name="quickpicks">
>                   <option value="selected">Tell me more about...</option>
>                   <option value="product1.php">Product One</option>
>                   <option value="product2.php">Product Two</option>
>                   <option value="product3.php">Product Three</option>
>                   <option value="product4.php">Product Four</option>
>                   <option value="product5.php">Product Five</option>
>           </select>
>           <input type="image" src="go.gif" alt="go" />
>   </form>
> 
> and send.php:
> 
> <?php header('Location:'.$_POST['quickpicks']);?>
> 
> You can then add a JavaScript that makes sure the first choice isn't
> picked, or rather get rid of it.
> 
Christian,

Nothing I recommended suggested or requires echoing part of the form 
submission back to the browser, a basic starting point for 
cross-site-scripting attack.  If using a single script with a query part 
to pick one of several pages to serve is inherently vulnerable to XSS 
without any other action, millions of CMS users are screwed.

You, on the other hand, gave a PHP example that is in fact vulnerable to 
header injection for users of PHP prior to version 4.4.2 and 5.1.2.  A 
malicious visitor could post a multi-line value to 'quickpicks' and they 
are IN.

If I'm wrong, please enlighten me.

However, you are correct that I did not give a sufficiently complete 
answer.  So...

Jono,

Assuming all your temporary pages can have numerical suffixes, here's a 
quick and dirty temporary script for your 'product.php' that redirects 
to your existing pages until you get a DB running:


<?php

/* Go back home (or wherever else) if they hit "GO"
  without picking something from the drop down */

if ($_GET['productid']=='selected') {
	header('Location: /');
	exit;
}

/* Go the product page based on the select value */

header('Location: product'.intval($_GET['productid']).'.php');
?>


Phil



More information about the thelist mailing list