[SOLVED] need help with header injection

[darkfreaks]

hey guys any suggestions on how i would pass an error through error=thisisanerror without injection.

 

i tried passing it as a $string but that didnt strip any injection from it no matter what function i called. ???

[DarkWater]

Just use a session?  You should never pass a string through the URL only to display it right on the next page....that's kind of dumb.

[kenrbnsn]

Please tell us exactly what you are trying to do/avoid and tell us what you have tried.

 

Ken

[darkfreaks]

it doesn't redirect to a page this is retarded whoever designed this to display the error on the same page through the header here is the code....

<?php
//the error part is unsafe even if i take itout and put the //whole error in a $variable 
//and urlencode it.
header("Location: $base_url/login.php?game=
$game&error=Error+logging+in.+Have+you+created
+an+account+yet?+Passwords+are+caSe+SEnsITIvE.");?>

 

 

 

[kenrbnsn]

That code looks perfectly ok. What is the problem?

 

Ken

[darkfreaks]

i asked in the security forum for it to be tested and someone passed injection in it. they changed the error to marquee and whatever code they want. that is the prob :-\

[kenrbnsn]

How is that input treated in the code. That's what we have to see.

 

Ken

[darkfreaks]

i tried

 

 

<?php

$error="Error+logging+in.+Have+you+created+an+account+yet?+Passwords+are+caSe+SEnsITIvE.";
header("Location: $base_url/login.php?game=".urlencode($game)."&error=".urlencode($error)."");
?>

 

but that did not work either :-\

[kenrbnsn]

No, we need to see how the script login.php is using $_GET['error']. That's where the problem is, not how you're setting it. The problem is that the script is trusting that $_GET['error'] will always be only those strings it knows about.

 

Never trust user input

 

At minimum, you should be using the strip_tags before sending the value of $_GET['error'] to the screen.

 

Ken

 

 

[darkfreaks]

there is no $_GET['error'] it is all passed through this function

 

<?php

function error($page,$error = "")
{
include "globals.inc.php";
if (ereg("\?",$page))
{
	$string = "Location: $page&error=" . space2plus($error);// turn + to spaces
}
else
{
	$string = "Location: $page?error=" . space2plus($error);// turn + to spaces
}
return $string;
}?>

[kenrbnsn]

No.

 

Somewhere in the script login.php it is sending the value for $_GET['error'] to the screen.

 

If there is no $_GET['error'] then your scripts are relying on register_globals being enabled which is another security problem.

 

Instead of posting snippets of the script that don't relate to the problem, just post the entire script.

 

Ken

[kenrbnsn]

You marked this "solved" with telling us what solved your problem.

 

Ken