Food for thought... [PHP security]

Dj_Jestar · 25 Oct 2005 at 21:14

Here is something I only found out today.. some of you may have been aware, but I am certain quite a lot are not.

http://blog.phpdoc.info/archives/13-XSS-Woes.html

Moral of the story - don't trust the $_SERVER superglobal

An example:

Create a file, call it test.php:

Code:

<?php

echo $_SERVER['PHP_SELF'];

?>

(I did so in my doc root on localhost)

Then access it with the following url:

http://localhost/test.php/%22%3E%3Cscript%3Ealert('xss')%3C/script%3E%3Cfoo

Anything unusual happen?

Dj_Jestar · 26 Oct 2005 at 06:54

After some tests, it appears $_SERVER['SCRIPT_NAME'] is immune to this exact attack, but if some of the $_SERVER indices can be 'infected' then there will be a way to get them all

Dj_Jestar · 26 Oct 2005 at 08:57

This is a 'flaw' with PHP, thus it is a problem across all platforms and webservers.

jonno - using urldecode on input is a very touchy subject, as pointed out in one of the comments on the Reserved Variables page on php.net

Dj_Jestar · 27 Oct 2005 at 07:06

Felix said:
What am I missing?

que?

If you mean you can't see the problem, basically it's an injection attack where the attacker could inject pretty much whatever they want onto your site, via a loophole in the superglobal $_SERVER['PHP_SELF'].