Re: Serverside script injection?

I found an example "built to duplicate some of PHPs built in functionality" is suggested in:
www.planet-source-code.com/vb/scripts/ShowCode.asp?lngWId=4&txtCodeId=6278 where the VarsFromForm function captures the querystring and executes some code based on it:

Public Sub VarsFromForm

     For Each item In request.form
     	execute(item & "=""" & Replace(request.form(item), Chr(34), 
Chr(34) & Chr(34)) & """")
     Next
     For Each item In request.QueryString
     	execute(item & "=""" & Replace(request.QueryString(item), Chr(34), 
Chr(34) & Chr(34)) & """")
     Next

In a 'normal' use if the page is called like: xyz.asp?a=1&b=2
'a' and 'b' variables would be created and assigned values "1" and "2".

If this page is called with a querystring like: xyz.asp?response.write%20Application("password"):Pippo=1

the command [response.write Application("password")] is executed and the value "1" is assigned to the variable Pippo ...

Best regards,
Marco Aldegheri, CISSP

joh ket wrote:
>
> Hi there.
>
>
> I have a question regarding serverside script injection. Does it exist -
Received on Mon Jan 13 10:26:21 2003

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek