Posted by Chuck Anderson on 02/26/06 22:58

Jim Carlock wrote:

>"Jim Carlock" asked:
>
>
>>Is there something that can be done to prevent that sort of thing?
>>
>>
>
>I've got a better feel for the problem with PHP_SELF and XSS
>attacks. I initially misread your statement and while the Mozilla
>browser displayed nothing (javascript turned off), Microsoft's
>Internet Explorer showed the problem.
>
>I found a great link describing the $_SERVER['PHP_SELF'],
>http://blog.phpdoc.info/archives/13-XSS-Woes.html, which
>definitely doesn't seem limited to that variable, but also to the
>other items:
>
>phpinfo()
>$_SERVER['PHP_SELF']
>$_SERVER['PHP_INFO']
>
>Some digging into: +PHP "XSS attack" turned up all sorts of things,
>including the link above, which in turn led to this link, which describes
>vulnerabilities of $_SERVER['SERVER_NAME'] ...
>http://www-128.ibm.com/developerworks/blogs/dw_blog_comments.jspa?blog=481&entry=75480
>
><html>
><head>
><title>Testing Server Variables</title>
></head>
><body><p><a href="#<?php echo($_SERVER['SERVER_NAME']); ?>">Hold your mouse over this link</a></p>
><p><?php echo($_SERVER['PHP_SELF']); ?></p></body></html>
>
>The above encoding turns up some really odd behaviors.
>
>Holding the mouse over that link results in...
>
>http://localhost/test.php/%22%3E%3Cimg%20src=http://www.perl.com/images/75-logo.jpg%3E%3Cblah#70.124.31.73
>
>While clicking on the source code itself presents the following
>(Internet Explorer, click on View, click on Source):
>
><html>
><head>
><title>Testing Server Variables</title>
></head>
><body><p><a href="#70.124.31.73">Hold your mouse over this link</a></p>
><p>/test.php/\"><img src=http://www.perl.com/images/75-logo.jpg><blah</p></body></html>
>
>Thanks for bringing up "XSS attack" inside of PHP. I'm not quite
>sure what the above completely represents, but it appears that
>possibly the http headers were compromised as well, showing
>a vulnerability with $_SERVER['SERVER_NAME'].
>
>Anyone else here that knows what's going on there and any
>suggestions are greatly appreciated.
>
>Jim Carlock
>Post replies to the group.
>
I'm just trying to follow this discussion, so I tried the examples to
see what happens

When I re-create the example at:
http://blog.phpdoc.info/archives/13-XSS-Woes.html

When I inject the "extra data" nothing happens. I get a server error:
The requested URL /testing/testing server variables.php/\ was not found
on this server.

When I try the same example on my remote host I get a 403 error:
script%3E%3Cfoo access denied

I never see the JavaScript alert executed (I have Javascript enabled).

--
*****************************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
Integrity is obvious.
The lack of it is common.
*****************************

• Next in forum: Change value of session variable by clicking href
• Prev in forum: Re: How to get the filename of a called PHP script
• Thread view: Re: $_SERVER['SCRIPT_NAME'] versus $_SERVER['PHP_SELF'] (or other?)

[Reply to this message]