Reputation: 1579
PHP tags in URL
So I made a landing page for all these forms that the marketing department at my work makes. One of the fields they pass is a URL that I redirect to after I'm done processing - a thank you page.
Recently, I discovered a URL that looked like this:
http://www.oursite.com/folder/thank-you.php?thankyou=free-guide&adgroup=<?php echo nfpa-c ?>&reference=<?php echo ?>
Does this amount to anything but the form creator being dumb? My page is throwing huge errors about security and cross-site scripting, etc. What are the implications of this? Is there any legitimate reason to do this?
EDIT/UPDATE: My landing page is in ASP.NET. The error it mentions is possible cross-site scripting.
Upvotes: 1
Views: 137
Answers (2)
Reputation: 67004
There is no legitimate reason to pass PHP code on the url like this. In fact it would be a Remote Code Execution Vulnerability, which is as bad as it gets its like like saying "Check Mate". I would make sure that that you don't have this code running, although its likely a bug because in php they would use eval("echo 'nfpa-c'");, you can't eval php tags like that, so its probably untested code.
Upvotes: 1
Reputation: 449843
<?php echo nfpa-c ?
I don't think it's the poster being dumb - this looks more like an outgoing form was not setup properly (e.g. PHP instructions used in a .html page that doesn't get parsed by the PHP interpreter.)
Check out the originating forms and look into their source code.
Upvotes: 3
Related Questions
- prevent xss attack via url( PHP)
- How to prevent XSS via URL?
- XSS protection with URL encode
- PHP: Scripting (XSS_in_URI.script)
- php file in URL - security
- XSS url filtering
- Escaping URLs in an html attribute in PHP
- XSS, encoding a return url
- Encoding PHP Tags for Security?
- input is URL, how to protect it from xss