rigaconnect — 2013-01-17T02:43:18-05:00 — #1
I noticed that someone used such code in adress bar
file (page) name is w.php and someone added code ?css=/mdd/cc-none
So the question: what is ?css=/mdd/cc-none
felgall — 2013-01-17T03:06:52-05:00 — #2
It is passing '/mdd/cc-none' into the w.php script in the $_GET['css'] field. If that script doesn't reference that field then it does nothing. If the script does reference the field then it does whatever the script is supposed to do with that field using that value.
If that field is used then the first step in the code should be validating that it contains a meaningful value for the script to use and so either '/mdd/cc-none' will pass validation because it is a valid value in which case the script will use it or it will fail validation and the script will produce an error.
The only way a hacker could gain any benefit by entering that would be if the script uses the field and whoever wrote the script neglected to validate it - since it can easily have any value supplied by anyone and so it is absolutely essential that it be validated FIRST before doing anything else with it.
rigaconnect — 2013-01-17T03:19:22-05:00 — #3
Thank you for reply
I have little knowledges in programming.
Could you explain what is "to validate script"?
For example, I use form with various fields.... and someone can insert (inject) some value? How to avoid it? I mean usual form <input type = "text" name = "hours1" id = "hours1" maxlength = "15" value="" onkeyup="this.value = this.value.replace(/,/g,'.')" size="9"></input> Then php $_POST... and script does caculations etc.
dklynn — 2013-01-18T04:07:35-05:00 — #4
Validating means that you check the value for something which is expected, i.e., legal as far as your script is concerned.
From my point of view, I doubt that you are using a w.php script so I'm guessing that you've been hacked and you should investigate that with the help of your host's support group. Also, look at other "you've been hacked" threads here.
rigaconnect — 2013-01-18T04:13:43-05:00 — #5
Thanks for answer. So I understand I need to ensure that user can input only allowed values. OK
Regarding hack I do not think if website / server is hacked.
Google Webmaster tools reported 174 server (crawl) errors
Google detected a significant increase in the number of URLs we could not access. It is likely that your server had an internal error or was busy when attempting to process these requests.
Most of errors was for url like this file-name.php?css=/mdd/cc-none
If I open the url, I get
Method Not Implemented
GET to /external-source-document.php not supported.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
guido2004 — 2013-01-18T04:20:22-05:00 — #6
You can't. A malicious user can always send your script any value he wants.
What you can (and must) do, is validate the values sent by the user to your script before using them for anything else in the script.