Rev 3 | Rev 9 | Go to most recent revision | Only display areas with differences | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
Rev 3 | Rev 6 | ||
---|---|---|---|
1 | <?php |
1 | <?php |
2 | 2 | ||
3 | // ATTENTION: This is a very simple XSS "Firewall". There ARE many other ways to do an XSS attack, so please don't rely on this script! |
3 | // ATTENTION: This is a very simple XSS "Firewall". There ARE many other ways to do an XSS attack, so please don't rely on this script! |
4 | 4 | ||
5 | $xxx_directories_need_anti_xss = array( |
5 | $xxx_directories_need_anti_xss = array( |
6 | // Webseiten, die mit XSS verseucht sind |
- | |
7 | '/home/' |
6 | '/home/' |
8 | ); |
7 | ); |
9 | 8 | ||
10 | // --- |
9 | // --- |
11 | 10 | ||
12 | function ___check_xss___($str) { |
11 | function ___check_xss___($str) { |
- | 12 | $ary = is_array($str) ? $str : array($str); |
|
- | 13 | foreach ($ary as $str) { |
|
13 | if ((stripos($str, '<svg') !== false) || (stripos($str, '<script') !== false)) { |
14 | if ((stripos($str, '<svg') !== false) || (stripos($str, '<script') !== false)) { |
- | 15 | @header($_SERVER['SERVER_PROTOCOL'] . ' 500 Internal Server Error', true, 500); |
|
14 | die('There is a problem with the data you have entered. Please write us an email if you think you received this message in error. info at viathinksoft.de'); |
16 | die('There is a problem with the data you have entered. Please write us an email if you think you received this message in error. info at viathinksoft.de'); |
15 | } |
17 | } |
- | 18 | } |
|
16 | } |
19 | } |
17 | 20 | ||
18 | // --- |
21 | // --- |
19 | 22 | ||
20 | $xxx_go = false; |
23 | $xxx_go = false; |
21 | foreach ($xxx_directories_need_anti_xss as $xxx_directory_need_anti_xss) { |
24 | foreach ($xxx_directories_need_anti_xss as $xxx_directory_need_anti_xss) { |
22 | if (strpos($_SERVER['SCRIPT_FILENAME'], $xxx_directory_need_anti_xss) === 0) { |
25 | if (strpos($_SERVER['SCRIPT_FILENAME'], $xxx_directory_need_anti_xss) === 0) { |
23 | $xxx_go = true; |
26 | $xxx_go = true; |
24 | } |
27 | } |
25 | } |
28 | } |
26 | unset($xxx_directories_need_anti_xss); |
29 | unset($xxx_directories_need_anti_xss); |
27 | unset($xxx_directory_need_anti_xss); |
30 | unset($xxx_directory_need_anti_xss); |
28 | if ($xxx_go) { |
31 | if ($xxx_go) { |
29 | if (isset($_SERVER['REQUEST_URI'])) ___check_xss___($_SERVER['REQUEST_URI']); |
32 | if (isset($_SERVER['REQUEST_URI'])) ___check_xss___($_SERVER['REQUEST_URI']); |
30 | if (isset($_SERVER['QUERY_STRING'])) ___check_xss___($_SERVER['QUERY_STRING']); |
33 | if (isset($_SERVER['QUERY_STRING'])) ___check_xss___($_SERVER['QUERY_STRING']); |
31 | if (isset($_SERVER['SCRIPT_URI'])) ___check_xss___($_SERVER['SCRIPT_URI']); |
34 | if (isset($_SERVER['SCRIPT_URI'])) ___check_xss___($_SERVER['SCRIPT_URI']); |
32 | if (isset($_SERVER['SCRIPT_URL'])) ___check_xss___($_SERVER['SCRIPT_URL']); |
35 | if (isset($_SERVER['SCRIPT_URL'])) ___check_xss___($_SERVER['SCRIPT_URL']); |
33 | if (isset($_SERVER['PHP_SELF'])) ___check_xss___($_SERVER['PHP_SELF']); |
36 | if (isset($_SERVER['PHP_SELF'])) ___check_xss___($_SERVER['PHP_SELF']); |
34 | 37 | ||
35 | # Warum so viele ___ ? Damit man auf keinen Fall ein GET/POST Argument mit diesen Variablen überschreibt! |
38 | # Warum so viele ___ ? Damit man auf keinen Fall ein GET/POST Argument mit diesen Variablen überschreibt! |
36 | foreach ($_REQUEST as $___key___ => $___val___) { |
39 | foreach ($_REQUEST as $___key___ => $___val___) { |
37 | ___check_xss___($___val___); |
40 | ___check_xss___($___val___); |
38 | } |
41 | } |
39 | unset($___key___); |
42 | unset($___key___); |
40 | unset($___val___); |
43 | unset($___val___); |
41 | } |
44 | } |
42 | unset($xxx_go); |
45 | unset($xxx_go); |
43 | 46 |