|
Posted by "Richard Lynch" on 08/27/05 02:42
On Fri, August 26, 2005 5:55 am, Edward Vermillion wrote:
> Chris Shiflett wrote:
>
>> Because $_SERVER['SERVER_NAME'] can be manipulated by the user in
>> some
>> cases, you must consider $temp tainted at this point.
>>
>
> I was under the the impression that the non-'HTTP_*' keys in the
> $_SERVER array came from the server itself. Obvoiusly I'm wrong, but
> I'm
> curoius how 'SERVER_NAME' could be manipulated by the client. Is there
> anything in the $_SERVER array that *can* be considered safe?
Here is what little info I have in my brain on this topic... :-)
When your browser requests:
http://example.com/index.php
what really happens is a more like doing this from a command shell:
telnet example.com 80
[wait for a prompt, type the following]
GET /index.php HTTP/1.0
Host: example.com
[hit return again here]
This last one, the "Host:" headers, is used by VirtualHost settings in
Apache to determine which URL you actually want.
But there's nothing to stop Bad Guy from doing this:
telnet php.net 80
GET /index.php HTTP/1.0
Host: example.com
At that point, if php.net responds at all, I *THINK*
$_SERVER['SERVER_NAME'] might, depending on Apache configuration, be
'example.com'
Or maybe not.
But when you stop to think about all the sites that are hosted on
multiple server farm setups, where a single domain is actually
serviced by an army of computers due to the sheer volume, you realize
that the 'SERVER_NAME' cannot POSSIBLY be the actual honest-to-god
there-is-only-one IP address of a single computer that is responding.
So odds are really good that in *SOME* situations,
$_SERVER['SERVER_NAME'] is not particularly reliable.
That may not be your situation ; It might be 100% reliable in YOUR
situation.
But do you really want to write code that might maybe someday get
thrown into a different situation that has vulnerabilities in it?
Disclaimer: I really have no idea how it could harm you, but if Chris
Shifflett warns against it, don't do it. :-)
--
Like Music?
http://l-i-e.com/artists.htm
[Back to original message]
|