Food for thought... [PHP security]

Dj_Jestar · 25 Oct 2005 at 21:14

Here is something I only found out today.. some of you may have been aware, but I am certain quite a lot are not.

http://blog.phpdoc.info/archives/13-XSS-Woes.html

Moral of the story - don't trust the $_SERVER superglobal

An example:

Create a file, call it test.php:

Code:

<?php

echo $_SERVER['PHP_SELF'];

?>

(I did so in my doc root on localhost)

Then access it with the following url:

http://localhost/test.php/%22%3E%3Cscript%3Ealert('xss')%3C/script%3E%3Cfoo

Anything unusual happen?

Gman · 25 Oct 2005 at 21:56

nice

well you can still use it and in a lot of cases its needed, you've just got to remember to wrap it in htmlentities to cover your arse.

Beansprout · 25 Oct 2005 at 22:08

SCRIPT_PATH be the solution then - but an interesting read, especially this comment:

http://www-128.ibm.com/developerworks/blogs/dw_blog_comments.jspa?blog=481&entry=75480

If you'll read Rasmus's comment, you'll see that he was unaware that the Host header can affect $_SERVER['SERVER_NAME']. If Rasmus has trouble, then there's little hope for the unwashed masses who have just written their first Hello World.

Dj_Jestar · 26 Oct 2005 at 06:54

After some tests, it appears $_SERVER['SCRIPT_NAME'] is immune to this exact attack, but if some of the $_SERVER indices can be 'infected' then there will be a way to get them all

AS_Platinum · 26 Oct 2005 at 08:27

Nothing unusual happens here whatsoever, just get 'The Page Cannot be found' error. O/S specific???

Am using IIS as dev server

lookitsjonno · 26 Oct 2005 at 08:38

much of the $_SERVER superglobal can be spoofed anyway so one more wont hurt.

it's just the a case of looping through the $_SERVER superglobal and running each entry through urldecode() and then htmlentities().

Dj_Jestar · 26 Oct 2005 at 08:57

This is a 'flaw' with PHP, thus it is a problem across all platforms and webservers.

jonno - using urldecode on input is a very touchy subject, as pointed out in one of the comments on the Reserved Variables page on php.net

Felix · 26 Oct 2005 at 22:56

What am I missing?

Dj_Jestar · 27 Oct 2005 at 07:06

Felix said:
What am I missing?

que?

If you mean you can't see the problem, basically it's an injection attack where the attacker could inject pretty much whatever they want onto your site, via a loophole in the superglobal $_SERVER['PHP_SELF'].