Jump to content
MakeWebGames

$_SERVER['PHP_SELF'] alternative/vulnerability


Recommended Posts

Some people may have noticed i have posted a few posts regarding PHP_SELF being insecure well this is true and i am just making this thread so that others don't make any mistakes like i did. So the following is just a few examples of how it can be used against you and some examples on fixing the issue.

The issue code:

$_SERVER['PHP_SELF']

Fixes:

'.basename($_SERVER['SCRIPT_FILENAME']).'

 

basename(__file__)

 

Issue in action:

http://www.gameurl.com/ask_staff.php/"<iframe src=http://www.crimgame.com></iframe> - will output a iframe to crimgame.com where ever $_SERVER['PHP_SELF'] is.

Screenshot example:

photo-113-9afe8111.jpg

Source of fake_login.php:

<?php

  echo '
 <h2>Form method</h2>
 <form name="login" action="'.$_SERVER['PHP_SELF'].'" method="post">
 [b]Name[/b]: <input type="text" name="name" value="" />


 [b]Password[/b]:<input type="password" name="password" value="" />


 <input type="submit" value="login" />
 </form>
 <h2>Echo method</h2>
 '.$_SERVER['PHP_SELF'];

?>

 

Thanks to Zeggy and/or Djkanna i forget who notified me of the issue in my code.

Link to comment
Share on other sites

i used php_self for my forums as i wanted it to be very flexable so they can call it what they like ans just specify what posts they want shown there eg staff_forum.php would be $forum->start('s'); to show only the staff forums/posts

PHP_SELF could be used for many other things not just forms/links ie i use to have a page loger on my site what ever url you went on i could record it aloing with your uername so i didnt have to go thro every file and add the code

Link to comment
Share on other sites

$_SERVER['PHP_SELF'] is vunerable to XSS attacks.
I love the fact people post the obvious, I agree with Equinox...Simple >_>

if you state the files name how would you ever be able to change the names easily?

 

Don't get me wrong, it's a good point you bring up.

I remember having this discussion with you on how to fix it, didn't we land on urlencode() and/or htmlentities() also Kanna suggested the basename?

yeah we was discussing urlencode() at one point if i recall.
Link to comment
Share on other sites

I love the fact people post the obvious, I agree with Equinox...Simple >_>

if you state the files name how would you ever be able to change the names easily?
If you cannot be arsed to change all instances using Notepad mass find and replace, Then that's unlucky, I still stick with using file names
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...