How to prevent <meta http-equiv = "refresh"> attacks?

Question

How to prevent <meta http-equiv = "refresh"> attacks?

I think that hackers (or script kids) attacked my site using site code leaks. Messages in the database are modified so that they contain this html:

<meta http-equiv="refresh" content="0;url=http://example.com"/>

But I can not rewrite the system now. What are the strategies for preventing this situation in the future?

I'm thinking of porting an admin script to a subdomain that allows access to specific domains. Or use mod_security SecFilterScanPOST and scan the entire send request containing http-equiv etc. Or do you allow only to send requests from my server or all of them?

Thank.

+5

security php apache

fatihpense Feb 15 '13 at 8:32

source share

3 answers

. OWASP XSS .

- <meta http-equiv="refresh" content="0;url=http://example.com"/> , / , .

+2

Francois Bourgeois 15 . '13 9:38

This is a lazy solution if you do not want to avoid your data while reading from db (what you need).

function escape_deep(&$value)
{
 $value = htmlspecialchars($value);
}

array_walk_recursive($_GET, 'escape_deep');
array_walk_recursive($_POST, 'escape_deep');

+1

Niclas larsson Feb 15 '13 at 9:02

source share

circle · Accepted Answer · 2013-02-15T09:55:56+0000

, , , root -

- , , , SQL- , .
/li >
PHP, , . FTP telnet, , - , / -.
, .

, , =)

, :

- , , , .
, , . , , , ...
(-, , ) ( ).
- , , - -, .
- -. . , - (.. URL http:// -). - root direct - .
- - .
- , .
(, Wordpress/Joomla). , . . .
, FTP, Telnet, (, phpMyAdmin) .. . , (, IP, , VPN)
- , ( ). , . Telnet → SSH, FTP → SFTP/FTP, HTTP/HTTPS.
- . screnario, . ...

How to prevent <meta http-equiv = "refresh"> attacks?

More articles: