Hawk Enterprises

If you are not too long, I will wait here for you all my life.
-Oscar Wilde

Evening Readers,

I’m taking a break from the usual coding to give you a brief plan for the future. For the past few days I’ve been trying to produce a script a day. Not for breast cancer, not for political gain, or to support the troops. I’m doing it primarily out of the want to have content on this site for you to read, and hopefully improve my readership.

I plan to continue this effort, potentially having a buy day here and there but please check back and see how the progress is going. Also remember that this site is providing a free service to everyone and prosperity for all starts with a world view of more than oneself.

(edit:) This use to be Script a Day but chance has it my laptop dc jack broke, and I don’t have any means other than a shared computer. So until either I get a new computer, or fix the old one we are on a Script “a lot” rather than Script “a Day”.

When prosperity comes, do not use all of it.
-Confucius

XSS Prevention using PHP. This contains a working example of XSS exploit in a popular wordpress theme, and how to prevent XSS attacks with PHP

Cross-Site Scripting or XSS is still for some developers seems to be the redheaded step child of security hacks.  I’ve talked with several plugin developers and theme developers and they all seem not to care.  While in this article I’m not going to show you why it’s so dangerous I will just show you how to prevent XSS on server side with PHP and real-life examples.

Let’s take the Connections Wordpress Theme and show you the vulnerability.

Open the theme directory

Open search.php in the connections folder and search for the following,

(it appears twice on search.php)

The above is particularly a problem because it’s taking the “raw” input of s which in Wordpress is the search variable almost everyone uses.  Then it puts it directly into the execution space for Javascript which can cause multitude of other problems.  Here is just an example that is the tip of iceberg.

XSS demo on connections theme original site

You can only imagine what can be done from here.  Something like window.location=’nastypornsite’ then sent to Google for mega-indexing can really ruin a webmasters day.  How to prevent the nastiness, is actually rather simple.  Here are the same lines fixed for XSS prevention, using strip_tags()

I have of course informed the developer but I also hope that this helps people better understand the issues concerned with XSS.   I will admit it wasn’t until today I saw a lame attempt at XSS in my logs that I realized this blog was vulnerable.  Of course every connections theme out there on the internet is vulnerable as well, and perhaps a crafty person might be able to chase down every owner of a connection theme and …  inform them of the problem.  But maybe that is asking too much.

Relative Links

• SEO Redirects and XSS
• Strip Tags Reference

As promised I would bring back our old software and have it available for everyone to use.   All search pages and the original site news post has been updated to reflect the PHP script availability.

Request PHP Software and Scripts

Please bare in mind that this system is email based and is going to take a little time to perfect.  So please be patient with it, just remember php scripts will be on their way to your email.