The attack at Infinity Gb V2 2
As soon as I say - an attack rather primitive, but if you want someone (like a certain site admin) spoil life - at the time:).
All the attacks are legitimate - no deception, burglary, etc. Also, we will not use the forms to send data to another site in order to circumvent the restriction on the length of characters you type. Just in the field that we are available to fill the will to impose any garbage, which is simply not provided. So, in the words of Yuri Gagarin, go!
Now go into what can be done with the forms provided that the script admin does not overwrite.
Immediately amendment - all of the code will encase asterisks - * code *
Username.
There may be sincere laugh at the admins, and all the rest. The fact is that for me is absolutely incomprehensible reasons, the authors violated the free speech of users and immediately paid for it. As you can see the code files that store messages the authors are using separators # # #, [: msg_start:], [: elmail:], [: snd_date:] and [: ip_dev:]. And there would simply change the angle brackets on the codes of characters, and all is well. They decided to act tough - crop and all. And health! Introduce the username # # # or other divider and will enjoy the fact that the user name will not appear. Cool, huh? You look just like the records and not understand what is the case.
You can use special characters that are on the table of characters for the conversion username codes characters - make dirt fast!
You can still write a lot of things, but it has to be confined to any variations of the above, therefore, there is nothing interesting. We will consider that the subject we are closed.
E-mail.
Put that something like «1@1.ru title = XSS» - now when the mouse over the username in the pop-up help instead of «Click on the name of the user to send e-mail» we'll see «XSS» because the code does not refer ** And **. It would seem fine, but as a pleasure:).
You can also write to the address «/ /» and, when the mouse pointer to the user will see «mailto ://». Of course they now have email address and bottom write but did. A decent people can thus protected from spam bots, who are looking for email addresses.
P-mail address is perhaps all: first by default, you can enter only 25 characters, and secondly angle brackets safely filtered from here leads to the conclusion itself - here we do nothing.
Text messages.
Long live ten thousand characters, and no restrictions! Here you can enter all the above within the allotted to us for this place. All that one can not simply impose filtered. And we have nothing else.
Again, let's return to freedom of expression, or to be more accurate than it is to the freedom of speech but to ensure that we deny it. It is, we have a very necessary! The point is that PHP has no intelligence - it is not necessary. He simply does what is written in the instructions. For example written in the text to remove the prohibited sequence, he removes them, but did not check what it will end. When we are told that the text should not be any characters (eg # # #), we are repeatedly tested and the script - one. And it is great! If we introduce # # # script is obrezhet if [: msg_start:] script and it obrezhet. And if # [: msg_start :]#[: msg_start:] #? Do not know what will be? I know! Will # # # and a script that does not filter because it is already filtered and now believes that it complied with all that was required of him! Thanks to this body of recordings, which will be retained in the file, which, for this is to be broken and no one does not know, but when you look at other people's records and all vsplyvet! Introduce it more and get zagazhennuyu guestbook, with the cleansing which the admin will be very long rack, and most importantly, in manual mode as due to a sequence of characters from adminki it is not clean.
Another wants? Yes ceremony! There is a special bar codes. Sami naprosilis - Key «[*]», more so. Also vylezet garbage, and in some cases nothing at all vylezet.
Similarly, the item about the user name I say that there is to do nothing. If something else wants to do is try themselves.
Now administrators. If you do not want your guest book was attacked in this way then replace the filter expressions on their codes and, no matter how strange it is not seemed to limit a lot of users that they impose. Believe me, it is not difficult, but as great. And the more you replace all special codes so they will live longer than your guest book.
In conclusion, I will cite data that need to type in all forms to be able to laugh from the heart of the admins gostevuhi:
Username: # # #
Mail: / / 1@1.ru
Note: [*] [*] [*] [*] [*] [*] [*] [*] [*] [*] [*] [*] [*] [*]
Now all will see a message in which nothing, but still left his people without a name.
Статьи по теме:
Proxy Server - This effective way of protecting information as well as a barrier to attack, hackers Potential voltage stabilizers for the protection of the personal computer What is the standard CompactPCI?Determination of computers as an object of design Microsoft Great Plains to customers in Russia: how to find a consultant and the most frequent questionsThe company Janet Systems Llc Presented Soa-Platform The exhibition «E-Kazakhstan»Automation planning printing by Apple (Mac)The signals under UNIXErg-exercises to improve postureThe most demanded software!The device Netping Cooler Board Received At Warehouse Company Zao «Light Kommunikeyshn»How Stress Editor In Word 2007Threats to Security Modern NetworksPlanning in the operating system UNIXMobile Commerce, Mobile Commerce SystemReduced-occupied Windows XP disk spaceThe Office of visualizationHow to make the right choice? 1C: Enterprise 7.7. or 8.0My Dear Oslik Or Setting EmuleFree Internet Or How to Become a HackerThe story of software Escrow Editing a sound fileThe program 1S Accounting Enterprise 8Tracing processes in UNIXFire systems company Satel now can be controlled by phone or EthernetTips and Tricks - Picasa willThe world softwareDownload Free Program is easy, but NevygodnoPreventive methods that reduce fatigue while working for a computerProtection of information. Passwords At Rar archives Inkjet Plotters (SP, INK-JET PLOTTER)Crm, softwareRestoring WindowsIndustrial and engineering processes LIBCOM-2007: new items of high technology from the company «Alee Software»Client accounting, Accounting orders - the most popular SoftwareTechnology Platform 1C: Enterprise 8 - Areas DevelopmentAccessDownload MozillaSoftware can be downloaded from Vareznyh Sites or whether Buy for sale onlineAvailability of Linux: The importance of today's worldOptimal cache lifetime for Joomla CMSSoa-platform Ijanet FreePrint ManagerDevelopment of Software Development ProjectsThe reverse side of the coin Spyware Protect photos, images and video Changing the design desktopAt the market goes cheap GSM / GPS signaling WAYS OF COMPUTER CRIMESHackers can control a PC without the knowledge of their owners The development control information tools for PADSMonitoring computer facts Free software for everyone!1C Program Office Trade 8