[B! XSS] natto_tamagoã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

natto_tamago id:natto_tamago

XSSã«é–¢ã™ã‚‹natto_tamagoã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (2)

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

${{author_name}}$
{{author_name}}{{created}}
{{ #comment }}{{ comment }}{{ /comment }}
- {{ label }}

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

13. $_SERVER['PHP_SELF']ã¨XSSè„†å¼±æ€§
çš†ã•ã‚“ã¯åŒã˜ã‚¹ã‚¯ãƒªãƒ—ãƒˆã¸ã®ãƒªãƒ³ã‚¯ã‚’è²¼ã‚‹æ™‚ã€ã©ã®æ§˜ã«è¨˜è¿°ã—ã¦ã„ã¾ã™ã‹ï¼Ÿ $_SERVER['PHP_SELF']ã‚’ç”¨ã„ã‚‹ã“ã¨ãŒã‚ã‚‹ã®ã§ã¯ãªã„ã§ã—ã‚‡ã†ã‹ã€‚ã“ã‚Œã‚’ç›´æŽ¥ç”¨ ã„ã‚‹ã“ã¨ã¯å±é™ºã§ã™ã€‚ãªãœãªã‚‰ã°ã€$_SERVER['PHP_SELF']ã«ã¯ã‚¯ãƒã‚¹ã‚µã‚¤ãƒˆãƒ»ã‚¹ ã‚¯ãƒªãƒ—ãƒ†ã‚£ãƒ³ã‚°ï¼ˆXSSï¼‰è„†å¼±æ€§ãŒå˜åœ¨ã™ã‚‹ã‹ã‚‰ã§ã™ã€‚ $_SERVER['PHP_SELF']ã¯ã—ã°ã—ã°æ¬¡ã®ã‚ˆã†ã«ä½¿ã‚ã‚Œã¾ã™ã€‚ <formÂ method="post"Â action="<?phpÂ echoÂ $_SERVER['PHP_SELF']Â ?>"> ã“ã®ãƒšãƒ¼ã‚¸ï¼ˆã“ã“ã§ã¯http:/www.example.jp/example.phpï¼‰ã¸ä¸‹è¨˜ã®æ§˜ã«ãƒªãƒ³ã‚¯ ã‚’è²¼ã‚Šã€ã‚¯ãƒªãƒƒã‚¯ã—ã¦ã¿ã¦ä¸‹ã•ã„ã€‚ <aÂ href="http://www.example.jp/ example.php/%22%3E%3Cscript%3Ealert(%27XS
natto_tamago 2017/11/09
PHP

XSS
ãƒªãƒ³ã‚¯
$_SERVER['PHP_SELF']ã¯å±é™ºï¼Ÿ - [PHP + PHP] ãºã‚“ãŸã‚“ info
PHPã§è‡ªãƒšãƒ¼ã‚¸ã‹ã‚‰è‡ªãƒšãƒ¼ã‚¸ã¸é·ç§»ã™ã‚‹å‹•ä½œã‚’ã•ã›ã‚‹ã¨ãã€Aã‚¿ã‚°ã‚„FORMã‚¿ã‚°ã«$_SERVER['PHP_SELF']ã‚’ä½¿ã†æ–¹æ³•ãŒã‚ã‚Šã¾ã™ã€‚ Aã‚¿ã‚°ã«ä½¿ã†å ´åˆ <a href="<?php echo $_SERVER['PHP_SELF']; ?>"> FORMã‚¿ã‚°ã«ä½¿ã†å ´åˆ <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"> ã—ã‹ã—ã“ã®ã‚ˆã†ãªç›®çš„ã§$_SERVER['PHP_SELF']ã‚’ä½¿ã†ã¨ãã«ã¯æ°—ã‚’ã¤ã‘ãŸã»ã†ãŒã„ã„ã§ã™ã€‚ XSS(ã‚¯ãƒã‚¹ã‚µã‚¤ãƒˆã‚¹ã‚¯ãƒªãƒ—ãƒ†ã‚£ãƒ³ã‚°)ã¨ã„ã†ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ãƒ¼ãƒ›ãƒ¼ãƒ«ã«ãªã‚Šã¾ã™ã€‚ CakePHPã‚„Zend Frameworkãªã©mod_rewriteã‚’ä½¿ã£ã¦ã„ã‚‹ã¨ãã§ã™ã€‚ ä¾‹ãˆã°æ¬¡ã®ã‚ˆã†ãªURL http://example.com/hoge.php/"><script>alert('
natto_tamago 2014/12/28
PHP

ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

XSS
ãƒªãƒ³ã‚¯
1

ãŠçŸ¥ã‚‰ã›

ã‚‚ã£ã¨èªã‚€

å…¬å¼Twitter

@hatebu
æœ€æ–°ã®äººæ°—ã‚¨ãƒ³ãƒˆãƒªãƒ¼ã®é…ä¿¡

ã‚ãƒ¼ãƒœãƒ¼ãƒ‰ã‚·ãƒ§ãƒ¼ãƒˆã‚«ãƒƒãƒˆä¸€è¦§

jæ¬¡ã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

kå‰ã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

lã‚ã¨ã§èªã‚€

eã‚³ãƒ¡ãƒ³ãƒˆä¸€è¦§ã‚’é–‹ã

oãƒšãƒ¼ã‚¸ã‚’é–‹ã

è¨å®šã‚’å¤‰æ›´ã—ã¾ã—ãŸx

ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

ã‚¿ã‚°

é–¢é€£ã‚¿ã‚°ã§çµžã‚Šè¾¼ã‚€ (2)

XSSã«é–¢ã™ã‚‹natto_tamagoã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (2)

ãŠçŸ¥ã‚‰ã›

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚ãƒ³ã‚°ï¼ˆ2025å¹´3æœˆç¬¬5é€±ï¼‰

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚ãƒ³ã‚°ï¼ˆ2025å¹´3æœˆç¬¬4é€±ï¼‰

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚ãƒ³ã‚°ï¼ˆ2025å¹´3æœˆç¬¬3é€±ï¼‰

å…¬å¼Twitter

ã‚ãƒ¼ãƒœãƒ¼ãƒ‰ã‚·ãƒ§ãƒ¼ãƒˆã‚«ãƒƒãƒˆä¸€è¦§

ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

å…¬å¼Twitter

ã¯ã¦ãªã®ã‚µãƒ¼ãƒ“ã‚¹

ã‚¿ã‚°

é–¢é€£ã‚¿ã‚°ã§çµžã‚Šè¾¼ã‚€ (2)

XSSã«é–¢ã™ã‚‹natto_tamagoã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (2)

13. $_SERVER['PHP_SELF']ã¨XSSè„†å¼±æ€§

$_SERVER['PHP_SELF']ã¯å±é™ºï¼Ÿ - [PHP + PHP] ãºã‚“ãŸã‚“ info

ãŠçŸ¥ã‚‰ã›

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚­ãƒ³ã‚°ï¼ˆ2025å¹´3æœˆç¬¬5é€±ï¼‰

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚­ãƒ³ã‚°ï¼ˆ2025å¹´3æœˆç¬¬4é€±ï¼‰

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚­ãƒ³ã‚°ï¼ˆ2025å¹´3æœˆç¬¬3é€±ï¼‰

å…¬å¼Twitter

ã‚­ãƒ¼ãƒœãƒ¼ãƒ‰ã‚·ãƒ§ãƒ¼ãƒˆã‚«ãƒƒãƒˆä¸€è¦§

ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

å…¬å¼Twitter

ã¯ã¦ãªã®ã‚µãƒ¼ãƒ“ã‚¹

é–¢é€£ã‚¿ã‚°ã§çµžã‚Šè¾¼ã‚€ (2)

XSSã«é–¢ã™ã‚‹natto_tamagoã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (2)

13. $_SERVER['PHP_SELF']ã¨XSSè„†å¼±æ€§

$_SERVER['PHP_SELF']ã¯å±é™ºï¼Ÿ - [PHP + PHP] ãºã‚“ãŸã‚“ info

ãŠçŸ¥ã‚‰ã›

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚ãƒ³ã‚°ï¼ˆ2025å¹´3æœˆç¬¬5é€±ï¼‰

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚ãƒ³ã‚°ï¼ˆ2025å¹´3æœˆç¬¬4é€±ï¼‰

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚ãƒ³ã‚°ï¼ˆ2025å¹´3æœˆç¬¬3é€±ï¼‰

å…¬å¼Twitter

ã‚ãƒ¼ãƒœãƒ¼ãƒ‰ã‚·ãƒ§ãƒ¼ãƒˆã‚«ãƒƒãƒˆä¸€è¦§

ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

å…¬å¼Twitter

ã¯ã¦ãªã®ã‚µãƒ¼ãƒ“ã‚¹