2 replies to this topic

[rigozeta]

Ok, I was so stupid at this, how can I prevent hackers using this?

<script>alert(document.cookie)</script>

A user registered at my site, and in he put it in his profile, lol I think he used it cause the profile section executes scripts... how can I stop it?
I want it not to execute scripts... I only used "nl2br", stripslashes, htmlspecialchars...
please help...

Edited by rigozeta, 23 May 2006 - 09:23 PM.

[rc69]

The easiest fix would be to disallow the use of JS in profiles, more than just cookie hacking can be done through JS.

If you already use htmlspecialchars(), then there is no theoretical way that a user could use scripts, as it would remove the script tags. Either you replace the script tags, or you have something else that's enabling the use of JS. One quick fix would be to simply replace "document.cookie" with nothing in anything that could contain JS.

But i do have one question for you. How could you get hacked like that? First off, passwords are normally encrypted before being saved in a cookie (if they aren't with what you're using, they should be). And second, it would show the user's cookies, not yours. Am i missing something, or is somebody just confused here?

[Matthew.]

Your coding would have to be pretty bad to be hacked by changing a cookie. And as rc69 already said, they would only be able to retrieve an MD5 hash (normally) of the password and their username. No one else's. It cant hurt if they decode their own password (i know md5 cannot technically be decoded, buy you can 'reverse' it pretty simply.)

Also, you can find out the cookie's just by pasting

java script:alert(document.cookie);

into your browser bar.