PHP books
John H. Robinson, IV
jhriv at ucsd.edu
Tue Feb 8 07:49:52 PST 2000
On Mon, Feb 07, 2000 at 08:59:02PM -0800, Tracy R Reed wrote:
>
> Plus I think the idea of putting executable code in HTML is rather
> messy.
plus buggy.
i am sure that most people are aware of some email sites (hotmail) that
have problems with javascript getting injected into peopl'e mail (it has
been in bugtraq a lot)
now if you have php running on the server, and a rouge php script is
injected to the server (like, say, hotmail or any of those neato
guestbook or faq-o-matic type things) you could wreak a lot of havok
(depending upon what the php is allowed to do, like say mailing
/etc/shadow to icollectshadowfiles at evil.hak3rz.com)
there needs to be a very strong distinction between data and code. html
client and server side scripts blend that, way too much.
why not put executable code on the stack? oh wait - exploits do that all
the time ;)
-john
ps: a whois showed that hak3rz.com is not registered, so i feel free in
using it as a null example.
More information about the KPLUG-List
mailing list