[Home] [Downloads] [Search] [Help/forum]

Register forum user name Search FAQ

Gammon Forum

See www.mushclient.com/spam for dealing with forum spam. Please read the MUSHclient FAQ!

[Folder]  Entire forum
-> [Folder]  Forum
. -> [Folder]  Announcements
. . -> [Subject]  Patch to stop cross-site scripting (XSS) has been done

Patch to stop cross-site scripting (XSS) has been done

Postings by administrators only.

[Refresh] Refresh page

Posted by Nick Gammon   Australia  (22,884 posts)  [Biography] bio   Forum Administrator
Date Sun 04 Feb 2018 02:22 AM (UTC)

Amended on Sun 04 Feb 2018 06:19 AM (UTC) by Nick Gammon

I was advised that this site was vulnerable to certain XSS attacks.

See Cross-site scripting - Wikipedia

This has now been patched to eliminate this threat.

Although all user input was carefully validated, the actual URL used to access a particular page was not validated, per se. For example:


In this example the "id" of 14156 and the "page" of 999 were validated to contain reasonable characters (eg. numbers in this case) and not exceed a reasonable length.

However the actual URL itself is contained in a PHP variable called $PHP_SELF which means "the URL of the current page". In places, this was used to generate links to other pages. The attack came by appending extra text to the URL, like this:


What this did was, when $PHP_SELF was used, was to terminate the quoted URL, and then drop into other code (the "svg" stuff). Since that would be embedded in a page from a trusted server (this server) then someone could trick your browser into executing arbitrary code.

The nature of the attack would be:

  • Alice would tell Bob (or post a link on a page under Alice's control): "Hey, check out this interesting site!" - including a URL with the attack vector at the end.

  • Bob would visit the site. The attacking code would be echoed back as part of the $PHP_SELF, which would cause undesirable things to happen on Bob's computer.

Personally I am using NoScript - an extension for Firefox which catches such XSS scripting attempts.

Even though this site should be impervious to such attacks in the future, apparently there are a lot of sites which are still vulnerable. I recommend you install NoScript to help catch people attempting to sneak scripts into your browser.

- Nick Gammon

www.gammon.com.au, www.mushclient.com
[Go to top] top

The dates and times for posts above are shown in Universal Co-ordinated Time (UTC).

To show them in your local time you can join the forum, and then set the 'time correction' field in your profile to the number of hours difference between your location and UTC time.


Postings by administrators only.

[Refresh] Refresh page

Go to topic:           Search the forum

[Go to top] top

Quick links: MUSHclient. MUSHclient help. Forum shortcuts. Posting templates. Lua modules. Lua documentation.

Information and images on this site are licensed under the Creative Commons Attribution 3.0 Australia License unless stated otherwise.


Written by Nick Gammon - 5K   profile for Nick Gammon on Stack Exchange, a network of free, community-driven Q&A sites   Marriage equality

Comments to: Gammon Software support
[RH click to get RSS URL] Forum RSS feed ( https://gammon.com.au/rss/forum.xml )

[Best viewed with any browser - 2K]    [Hosted at FutureQuest]