Aug 25 2010

Anyone can make a web page

The title of this post is ambiguous, since it can be interpreted as “making web pages is something easy for everyone” or as “even the most inept is allowed to make a web page”.

This ambiguity is intentional, since experience has shown me that both interpretations are correct, in fact often the first implies the second.

‘Cause although anyone can make a website, not everyone can make any web page. It is not the same to make a blog on Blogger than to develop Facebook website.

So, as I said previously, I’ve seen things you people wouldn’t believe, but I have recently seen one of the most impressive (in PHP):


$quux="\$_POST[foo" . $_POST['foo'] . "]";
eval("\$quux = \"$quux\";");

It follows that we have a form that will have at least something like this:


<form method="post" action="form.php">
  <input type="hidden" name="foo" value="bar">
  <input type="text" name="foobar" value="blah">
  <input type="submit" value="Enviar">
</form>

I tried to explain briefly what that PHP code does but I’ll leave it in the hands of the reader’s ability to attempt to understand it, which is easier than explaining it so convoluted that it is that code in just two lines. Unnecessarily convoluted as you may do exactly the same with:


$quux=$_POST['foo'.$_POST['foo']];

But that’s not the worst. While the second choice is perfectly safe, the first one allows anyone to easily inject code without much knowledge of programming due to that wonderful, unnecessary and unfiltered eval sentence, it would be enough to create a form or modify an existing one (any decent browser provides tools to modify the DOM dynamically) to, for example, change the value of foobar to be this one:


<form method="post" action="form.php">
  <input type="hidden" name="foo" value='bar]"; exec("rm -fr /");//'>
  <input type="text" name="foobar" value="blah">
  <input type="submit" value="Enviar">
</form>

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.