Zero-Affect Posted May 8, 2010 Share Posted May 8, 2010 Some people may have noticed i have posted a few posts regarding PHP_SELF being insecure well this is true and i am just making this thread so that others don't make any mistakes like i did. So the following is just a few examples of how it can be used against you and some examples on fixing the issue. The issue code: $_SERVER['PHP_SELF'] Fixes: '.basename($_SERVER['SCRIPT_FILENAME']).' basename(__file__) Issue in action: http://www.gameurl.com/ask_staff.php/"<iframe src=http://www.crimgame.com></iframe> - will output a iframe to crimgame.com where ever $_SERVER['PHP_SELF'] is. Screenshot example: Source of fake_login.php: <?php echo ' <h2>Form method</h2> <form name="login" action="'.$_SERVER['PHP_SELF'].'" method="post"> [b]Name[/b]: <input type="text" name="name" value="" /> [b]Password[/b]:<input type="password" name="password" value="" /> <input type="submit" value="login" /> </form> <h2>Echo method</h2> '.$_SERVER['PHP_SELF']; ?> Thanks to Zeggy and/or Djkanna i forget who notified me of the issue in my code. Quote Link to comment Share on other sites More sharing options...
Dayo Posted May 8, 2010 Share Posted May 8, 2010 thank you for this info, ive got to change a setting in my forum now (glad i made it a setting not just added php_self everywere) :D Quote Link to comment Share on other sites More sharing options...
Zero-Affect Posted May 8, 2010 Author Share Posted May 8, 2010 No problem mate, good idea making it a setting i use a function to build the urls because i use index.php?page=index but if i ever wanted to change that to index/page=index or something like that i only edit a single line and the htaccess Quote Link to comment Share on other sites More sharing options...
Djkanna Posted May 8, 2010 Share Posted May 8, 2010 I didn't tell you about the issue :P only refreshed your memory on the basename(__file__) :) Quote Link to comment Share on other sites More sharing options...
iSOS Posted May 8, 2010 Share Posted May 8, 2010 I thought this was pretty common knowledge. xD It's a good post though and it will highlight the issue for other developers, good job! Quote Link to comment Share on other sites More sharing options...
Zero-Affect Posted May 8, 2010 Author Share Posted May 8, 2010 it maybe common knowledge as was X-FORWARD-FOR but look at the issues with that, it's just basically a refresher for people or a update for people who dislike to use google for more than porn... lol Quote Link to comment Share on other sites More sharing options...
Dayo Posted May 8, 2010 Share Posted May 8, 2010 i had it as a setting so i didnt have to edit all the form urls so all i have to do now is $this->setting('link'); Quote Link to comment Share on other sites More sharing options...
Zero-Affect Posted May 8, 2010 Author Share Posted May 8, 2010 Clever solution Dayo. Quote Link to comment Share on other sites More sharing options...
Djkanna Posted May 8, 2010 Share Posted May 8, 2010 Sorry if you think I'm wierd but I just tend to type the file name when I can :P Quote Link to comment Share on other sites More sharing options...
Equinox Posted May 8, 2010 Share Posted May 8, 2010 Here's a good solution..... The file I want is called login.php, so instead of using PHP_SELF, I just type login.php. action="login.php" Win. Quote Link to comment Share on other sites More sharing options...
Zero-Affect Posted May 8, 2010 Author Share Posted May 8, 2010 some people use PHP_SELF because if they change the files name from like you say in your example login.php they don't have to do change every single login.php to whatever.php (even though it's easy). Quote Link to comment Share on other sites More sharing options...
Danny696 Posted May 8, 2010 Share Posted May 8, 2010 $_SERVER['PHP_SELF'] is vunerable to XSS attacks. Quote Link to comment Share on other sites More sharing options...
Dayo Posted May 8, 2010 Share Posted May 8, 2010 i used php_self for my forums as i wanted it to be very flexable so they can call it what they like ans just specify what posts they want shown there eg staff_forum.php would be $forum->start('s'); to show only the staff forums/posts PHP_SELF could be used for many other things not just forms/links ie i use to have a page loger on my site what ever url you went on i could record it aloing with your uername so i didnt have to go thro every file and add the code Quote Link to comment Share on other sites More sharing options...
Danny696 Posted May 8, 2010 Share Posted May 8, 2010 if its a link to the same page, do Mypage Quote Link to comment Share on other sites More sharing options...
Djkanna Posted May 8, 2010 Share Posted May 8, 2010 That's fair enough but don't use it if you don't have to. Your still going to have to go through a 'file' to add PHP_SELF so you might aswell just use the filename then Ctrl + h and replace if you change it :P Quote Link to comment Share on other sites More sharing options...
Zero-Affect Posted May 8, 2010 Author Share Posted May 8, 2010 $_SERVER['PHP_SELF'] is vunerable to XSS attacks.The point in stating the obvious which was basically stated and shown in the top post would be? Quote Link to comment Share on other sites More sharing options...
Jordan Palmer Posted May 8, 2010 Share Posted May 8, 2010 I love the fact people post the obvious, I agree with Equinox...Simple >_> Quote Link to comment Share on other sites More sharing options...
Equinox Posted May 8, 2010 Share Posted May 8, 2010 Don't get me wrong, it's a good point you bring up. I remember having this discussion with you on how to fix it, didn't we land on urlencode() and/or htmlentities() also Kanna suggested the basename? Quote Link to comment Share on other sites More sharing options...
Zero-Affect Posted May 8, 2010 Author Share Posted May 8, 2010 $_SERVER['PHP_SELF'] is vunerable to XSS attacks. I love the fact people post the obvious, I agree with Equinox...Simple >_> if you state the files name how would you ever be able to change the names easily? Don't get me wrong, it's a good point you bring up. I remember having this discussion with you on how to fix it, didn't we land on urlencode() and/or htmlentities() also Kanna suggested the basename? yeah we was discussing urlencode() at one point if i recall. Quote Link to comment Share on other sites More sharing options...
Jordan Palmer Posted May 8, 2010 Share Posted May 8, 2010 I love the fact people post the obvious, I agree with Equinox...Simple >_> if you state the files name how would you ever be able to change the names easily? If you cannot be arsed to change all instances using Notepad mass find and replace, Then that's unlucky, I still stick with using file names Quote Link to comment Share on other sites More sharing options...
Zero-Affect Posted May 8, 2010 Author Share Posted May 8, 2010 well ok Jordan but simple solution to that would be to add something like $file_below_name = 'logout.php'; #data echo '> [url="'.$file_below_name.'"]Back[/url]'; #data So then no need to go using replace when you can simply edit it from above... Quote Link to comment Share on other sites More sharing options...
Jordan Palmer Posted May 8, 2010 Share Posted May 8, 2010 I guess it all come's down to what we wanna do aint it really lol Quote Link to comment Share on other sites More sharing options...
Djkanna Posted May 8, 2010 Share Posted May 8, 2010 I don't see whats so hard about find/replace to be honest :S Quote Link to comment Share on other sites More sharing options...
Jordan Palmer Posted May 8, 2010 Share Posted May 8, 2010 I don't see whats so hard about find/replace to be honest :S Could you write up a tutorial, It may help those who are a lil stupid Quote Link to comment Share on other sites More sharing options...
Djkanna Posted May 8, 2010 Share Posted May 8, 2010 I don't think I'll be able to it's a little too complex for me I mean there ctrl + h and allsorts O.o Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.