tags:

views:

64

answers:

2
+1  Q: 

PHP tags in URL

So I made a landing page for all these forms that the marketing department at my work makes. One of the fields they pass is a URL that I redirect to after I'm done processing - a thank you page.

Recently, I discovered a URL that looked like this:

http://www.oursite.com/folder/thank-you.php?thankyou=free-guide&amp;amp;adgroup=&lt;?php echo nfpa-c ?>&amp;reference=<?php echo  ?>

Does this amount to anything but the form creator being dumb? My page is throwing huge errors about security and cross-site scripting, etc. What are the implications of this? Is there any legitimate reason to do this?

EDIT/UPDATE: My landing page is in ASP.NET. The error it mentions is possible cross-site scripting.

+3  A:  
<?php echo nfpa-c ?

I don't think it's the poster being dumb - this looks more like an outgoing form was not setup properly (e.g. PHP instructions used in a .html page that doesn't get parsed by the PHP interpreter.)

Check out the originating forms and look into their source code.

Pekka  2010-07-22 16:38:53
Actually, this is hardcoded into an input field.<input type='hidden' name='success' value='*'> * the url from above
Brandi  2010-07-22 16:40:34
@Brandi it's very likely meant to be parsed by PHP, isn't it?
Pekka  2010-07-22 16:43:41
Quite possibly, but since it's not a variable, it's just outputting hardcoded text, it makes me think this is a really bad practice to put the tags in the url. They aren't going to want to change their forms, so I'm wondering what the implications are of just allowing this and turning the validation on my page to false?
Brandi  2010-07-22 16:47:45
@Brandi there are no security implications as such on your end, but there could be sensitive data in the PHP source in the sending form. Also, it's well possible that statistical data (adgroups..?) is getting lost.
Pekka  2010-07-22 16:54:28
So, someone could not post to my page a url that did something harmful if I just allow script to exist without any validation? So I could make a new page with <input type='hidden' name='success' value='http://mysite.com/<? php BADCODE ?>'>, and simply redirecting to that page will not be harmful to anyone involved?
Brandi  2010-07-22 17:01:36
@Brandi nope, it would be totally harmless: If the code is not executed on your page straight away, it's just a meaningless series of characters.
Pekka  2010-07-22 17:06:55
@Pekka: Thanks. :)
Brandi  2010-07-22 19:04:43
+1  A: 

There is no legitimate reason to pass PHP code on the url like this. In fact it would be a Remote Code Execution Vulnerability, which is as bad as it gets its like like saying "Check Mate". I would make sure that that you don't have this code running, although its likely a bug because in php they would use eval("echo 'nfpa-c'");, you can't eval php tags like that, so its probably untested code.

Rook  2010-07-22 18:08:19
This was exactly it. They made a syntax error and we convinced them to fix it.
Brandi  2010-07-22 19:03:33
Assuming the PHP code came in there by accident, how is this a vulnerability?
Pekka  2010-07-22 19:15:25
@Pekka passing php code in as a GET parameter is most defiantly a vulnerability, this bug however is not.
Rook  2010-07-22 20:53:28

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases