Jump to content
Sign in to follow this  
Zero-Affect

$_SERVER['PHP_SELF'] alternative/vulnerability

Recommended Posts

Some people may have noticed i have posted a few posts regarding PHP_SELF being insecure well this is true and i am just making this thread so that others don't make any mistakes like i did. So the following is just a few examples of how it can be used against you and some examples on fixing the issue.

The issue code:

$_SERVER['PHP_SELF']

Fixes:

'.basename($_SERVER['SCRIPT_FILENAME']).'

 

basename(__file__)

 

Issue in action:

http://www.gameurl.com/ask_staff.php/"<iframe src=http://www.crimgame.com></iframe> - will output a iframe to crimgame.com where ever $_SERVER['PHP_SELF'] is.

Screenshot example:

photo-113-9afe8111.jpg

Source of fake_login.php:

<?php

  echo '
 <h2>Form method</h2>
 <form name="login" action="'.$_SERVER['PHP_SELF'].'" method="post">
 [b]Name[/b]: <input type="text" name="name" value="" />


 [b]Password[/b]:<input type="password" name="password" value="" />


 <input type="submit" value="login" />
 </form>
 <h2>Echo method</h2>
 '.$_SERVER['PHP_SELF'];

?>

 

Thanks to Zeggy and/or Djkanna i forget who notified me of the issue in my code.

Share this post


Link to post
Share on other sites

thank you for this info, ive got to change a setting in my forum now (glad i made it a setting not just added php_self everywere) :D

Share this post


Link to post
Share on other sites

No problem mate, good idea making it a setting i use a function to build the urls because i use index.php?page=index but if i ever wanted to change that to index/page=index or something like that i only edit a single line and the htaccess

Share this post


Link to post
Share on other sites

I didn't tell you about the issue :P only refreshed your memory on the basename(__file__) :)

Share this post


Link to post
Share on other sites

I thought this was pretty common knowledge. xD

It's a good post though and it will highlight the issue for other developers, good job!

Share this post


Link to post
Share on other sites

it maybe common knowledge as was X-FORWARD-FOR but look at the issues with that, it's just basically a refresher for people or a update for people who dislike to use google for more than porn... lol

Share this post


Link to post
Share on other sites

i had it as a setting so i didnt have to edit all the form urls so all i have to do now is $this->setting('link');

Share this post


Link to post
Share on other sites

Sorry if you think I'm wierd but I just tend to type the file name when I can :P

Share this post


Link to post
Share on other sites

Here's a good solution.....

The file I want is called login.php, so instead of using PHP_SELF, I just type login.php.

action="login.php"

Win.

Share this post


Link to post
Share on other sites

some people use PHP_SELF because if they change the files name from like you say in your example login.php they don't have to do change every single login.php to whatever.php (even though it's easy).

Share this post


Link to post
Share on other sites

i used php_self for my forums as i wanted it to be very flexable so they can call it what they like ans just specify what posts they want shown there eg staff_forum.php would be $forum->start('s'); to show only the staff forums/posts

PHP_SELF could be used for many other things not just forms/links ie i use to have a page loger on my site what ever url you went on i could record it aloing with your uername so i didnt have to go thro every file and add the code

Share this post


Link to post
Share on other sites

That's fair enough but don't use it if you don't have to. Your still going to have to go through a 'file' to add PHP_SELF so you might aswell just use the filename then Ctrl + h and replace if you change it :P

Share this post


Link to post
Share on other sites
$_SERVER['PHP_SELF'] is vunerable to XSS attacks.
The point in stating the obvious which was basically stated and shown in the top post would be?

Share this post


Link to post
Share on other sites

Don't get me wrong, it's a good point you bring up.

I remember having this discussion with you on how to fix it, didn't we land on urlencode() and/or htmlentities() also Kanna suggested the basename?

Share this post


Link to post
Share on other sites
$_SERVER['PHP_SELF'] is vunerable to XSS attacks.
I love the fact people post the obvious, I agree with Equinox...Simple >_>

if you state the files name how would you ever be able to change the names easily?

 

Don't get me wrong, it's a good point you bring up.

I remember having this discussion with you on how to fix it, didn't we land on urlencode() and/or htmlentities() also Kanna suggested the basename?

yeah we was discussing urlencode() at one point if i recall.

Share this post


Link to post
Share on other sites
I love the fact people post the obvious, I agree with Equinox...Simple >_>

if you state the files name how would you ever be able to change the names easily?
If you cannot be arsed to change all instances using Notepad mass find and replace, Then that's unlucky, I still stick with using file names

Share this post


Link to post
Share on other sites

well ok Jordan but simple solution to that would be to add something like

 

         $file_below_name = 'logout.php';
#data
echo '> [url="'.$file_below_name.'"]Back[/url]';
#data

So then no need to go using replace when you can simply edit it from above...

Share this post


Link to post
Share on other sites

I don't see whats so hard about find/replace to be honest :S

Share this post


Link to post
Share on other sites

I don't think I'll be able to it's a little too complex for me I mean there ctrl + h and allsorts O.o

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...