$_SERVER['PHP_SELF'] alternative/vulnerability

Zero-Affect · May 8, 2010

Some people may have noticed i have posted a few posts regarding PHP_SELF being insecure well this is true and i am just making this thread so that others don't make any mistakes like i did. So the following is just a few examples of how it can be used against you and some examples on fixing the issue.

The issue code:

$_SERVER['PHP_SELF']

Fixes:

'.basename($_SERVER['SCRIPT_FILENAME']).'

basename(__file__)

Issue in action:

http://www.gameurl.com/ask_staff.php/"<iframe src=http://www.crimgame.com></iframe> - will output a iframe to crimgame.com where ever $_SERVER['PHP_SELF'] is.

Screenshot example:

Source of fake_login.php:

<?php

  echo '
 <h2>Form method</h2>
 <form name="login" action="'.$_SERVER['PHP_SELF'].'" method="post">
 [b]Name[/b]: <input type="text" name="name" value="" />


 [b]Password[/b]:<input type="password" name="password" value="" />


 <input type="submit" value="login" />
 </form>
 <h2>Echo method</h2>
 '.$_SERVER['PHP_SELF'];

?>

Thanks to Zeggy and/or Djkanna i forget who notified me of the issue in my code.

Dayo · May 8, 2010

thank you for this info, ive got to change a setting in my forum now (glad i made it a setting not just added php_self everywere) :D

Zero-Affect · May 8, 2010

No problem mate, good idea making it a setting i use a function to build the urls because i use index.php?page=index but if i ever wanted to change that to index/page=index or something like that i only edit a single line and the htaccess

Djkanna · May 8, 2010

I didn't tell you about the issue :P only refreshed your memory on the basename(__file__) :)

iSOS · May 8, 2010

I thought this was pretty common knowledge. xD

It's a good post though and it will highlight the issue for other developers, good job!

Zero-Affect · May 8, 2010

it maybe common knowledge as was X-FORWARD-FOR but look at the issues with that, it's just basically a refresher for people or a update for people who dislike to use google for more than porn... lol

Dayo · May 8, 2010

i had it as a setting so i didnt have to edit all the form urls so all i have to do now is $this->setting('link');

Zero-Affect · May 8, 2010

Clever solution Dayo.

Djkanna · May 8, 2010

Sorry if you think I'm wierd but I just tend to type the file name when I can :P

Equinox · May 8, 2010

Here's a good solution.....

The file I want is called login.php, so instead of using PHP_SELF, I just type login.php.

action="login.php"

Win.

Zero-Affect · May 8, 2010

some people use PHP_SELF because if they change the files name from like you say in your example login.php they don't have to do change every single login.php to whatever.php (even though it's easy).

Danny696 · May 8, 2010

$_SERVER['PHP_SELF'] is vunerable to XSS attacks.

Dayo · May 8, 2010

i used php_self for my forums as i wanted it to be very flexable so they can call it what they like ans just specify what posts they want shown there eg staff_forum.php would be $forum->start('s'); to show only the staff forums/posts

PHP_SELF could be used for many other things not just forms/links ie i use to have a page loger on my site what ever url you went on i could record it aloing with your uername so i didnt have to go thro every file and add the code

Danny696 · May 8, 2010

if its a link to the same page, do Mypage

Djkanna · May 8, 2010

That's fair enough but don't use it if you don't have to. Your still going to have to go through a 'file' to add PHP_SELF so you might aswell just use the filename then Ctrl + h and replace if you change it :P

Zero-Affect · May 8, 2010

$_SERVER['PHP_SELF'] is vunerable to XSS attacks.

The point in stating the obvious which was basically stated and shown in the top post would be?

Jordan Palmer · May 8, 2010

I love the fact people post the obvious, I agree with Equinox...Simple >_>

Equinox · May 8, 2010

Don't get me wrong, it's a good point you bring up.

I remember having this discussion with you on how to fix it, didn't we land on urlencode() and/or htmlentities() also Kanna suggested the basename?

Zero-Affect · May 8, 2010

$_SERVER['PHP_SELF'] is vunerable to XSS attacks.

I love the fact people post the obvious, I agree with Equinox...Simple >_>

if you state the files name how would you ever be able to change the names easily?

Don't get me wrong, it's a good point you bring up.
I remember having this discussion with you on how to fix it, didn't we land on urlencode() and/or htmlentities() also Kanna suggested the basename?

yeah we was discussing urlencode() at one point if i recall.

Jordan Palmer · May 8, 2010

I love the fact people post the obvious, I agree with Equinox...Simple >_>

if you state the files name how would you ever be able to change the names easily?

If you cannot be arsed to change all instances using Notepad mass find and replace, Then that's unlucky, I still stick with using file names

Zero-Affect · May 8, 2010

well ok Jordan but simple solution to that would be to add something like

         $file_below_name = 'logout.php';
#data
echo '> [url="'.$file_below_name.'"]Back[/url]';
#data

So then no need to go using replace when you can simply edit it from above...

Jordan Palmer · May 8, 2010

I guess it all come's down to what we wanna do aint it really lol

Djkanna · May 8, 2010

I don't see whats so hard about find/replace to be honest :S

Jordan Palmer · May 8, 2010

I don't see whats so hard about find/replace to be honest :S

Could you write up a tutorial, It may help those who are a lil stupid

Djkanna · May 8, 2010

I don't think I'll be able to it's a little too complex for me I mean there ctrl + h and allsorts O.o

Sign In

$_SERVER['PHP_SELF'] alternative/vulnerability

Recommended Posts

Zero-Affect

Dayo

Zero-Affect

Djkanna

iSOS

Zero-Affect

Dayo

Zero-Affect

Djkanna

Equinox

Zero-Affect

Danny696

Dayo

Danny696

Djkanna

Zero-Affect

Jordan Palmer

Equinox

Zero-Affect

Jordan Palmer

Zero-Affect

Jordan Palmer

Djkanna

Jordan Palmer

Djkanna

Join the conversation

Browse

Activity

Hosting