forked from webpwnized/mutillidae
-
Notifications
You must be signed in to change notification settings - Fork 1
/
styling.php
executable file
·90 lines (80 loc) · 2.33 KB
/
styling.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
<?php
/*
* If you are trying to cause path relative stylesheet
* injection, a test case is
*
* http://172.16.0.130/mutillidae/index.php?page=styling-frame.php&page-to-frame=styling.php/foo/bar/%0A{}*{color:red;}///
* This works in IE 11 if the browser is in compatibility mode
*/
try{
$ESAPI = NULL;
$Encoder = NULL;
if (session_status() == PHP_SESSION_NONE){
session_start();
}// end if
if (!isset($_SESSION["security-level"])){
$_SESSION["security-level"] = 0;
}// end if
switch ($_SESSION["security-level"]){
case "0": // This code is insecure
case "1": // This code is insecure
$lProtectAgainstMethodTampering = FALSE;
$lEncodeOutput = FALSE;
break;
case "2":
case "3":
case "4":
case "5": // This code is fairly secure
require_once ('./includes/constants.php');
require_once (__ROOT__.'/owasp-esapi-php/src/ESAPI.php');
$ESAPI = new ESAPI(__ROOT__.'/owasp-esapi-php/src/ESAPI.xml');
$Encoder = $ESAPI->getEncoder();
$lProtectAgainstMethodTampering = TRUE;
$lEncodeOutput = TRUE;
break;
};//end switch
$lParameterSubmitted = FALSE;
if (isset($_REQUEST["page-title"])) {
$lParameterSubmitted = TRUE;
}// end if
$lPageTitle = "Styling with Mutillidae";
if ($lParameterSubmitted){
if ($lProtectAgainstMethodTampering) {
$lPageTitle = $_GET["page-title"];
}else{
$lPageTitle = $_REQUEST["page-title"];
};// end if $lProtectAgainstMethodTampering
if($lEncodeOutput){
$lPageTitle = $Encoder->encodeForHTML($lPageTitle);
};// end if
};// end if $lFormSubmitted
} catch (Exception $e) {
echo $CustomErrorHandler->FormatError($e, $lQueryString);
};// end try;
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7">
<link rel="stylesheet" type="text/css" href="./styles/global-styles.css" />
<title><?php echo $lPageTitle?></title>
</head>
<body>
<table>
<tr><td> </td></tr>
<tr><td><div class="page-title"><?php echo $lPageTitle?></div></td></tr>
<tr><td> </td></tr>
<tr>
<td class="form-header">
I've been framed!
</td>
</tr>
<tr>
<td>
I've been framed by <?php echo $_SERVER['PHP_SELF']; ?>
</td>
</tr>
<tr><td> </td></tr>
</table>
</body>
</html>