|
Joined: Jun 2006
Posts: 16,299 Likes: 116
|
Joined: Jun 2006
Posts: 16,299 Likes: 116 |
Well, I get a frantic set of messages from a client this morning; their site is "automagically" forwarding all users who view the Who's Online to a 3rd party website... Thinking they've been hacked, they're quite worried... So, I dive in and mess around, and google the site they're being redirected to... seems the User Agent of the site is: <SCRIPT>window.location='http://www.syncrisis.com'</script> (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727) Also have seen: "<SCRIPT>window.location='http://www.syncrisis.com'</script> (compatible; MSIE 7.0; Windows NT 5.1)" Curious if we can get strip_tags on the user agent field in the WOL page so "abusive bots" can't embed scripts... I see it as quite a little security issue...
|
|
|
|
Joined: Jun 2006
Posts: 1,344
veteran
|
veteran
Joined: Jun 2006
Posts: 1,344 |
|
|
|
|
Joined: Jun 2006
Posts: 196
enthusiast
|
enthusiast
Joined: Jun 2006
Posts: 196 |
I really don't like using strip_tags on things since it isn't really related to the problem (the problem being we don't escape agent strings), so the useragent is now passed through htmlspecialchars
|
|
|
|
Joined: Jun 2006
Posts: 16,299 Likes: 116
|
Joined: Jun 2006
Posts: 16,299 Likes: 116 |
Danka Ian ... Figured, there's numerous ways to get it all routed so it's not parsed (strip_tags, htmlspecialchars, regex, str_replace, etc etc etc).
|
|
|
|
Joined: Jun 2006
Posts: 1,344
veteran
|
veteran
Joined: Jun 2006
Posts: 1,344 |
|
|
|
Bots
by Outdoorking - 04/13/2024 5:08 PM
|
|
|
|
|
|
|
|