Posted by Colin McKinnon on 02/26/06 03:53

Jim Carlock wrote:

> And the subject... is one of the variables better than the other? One
> a wrapper to the other? Which one is the wrapper and which one
> is the final calling? Anyone know where to find such details? If there's
> a link available...
>
> $_SERVER['SCRIPT_NAME'] versus $_SERVER['PHP_SELF']
>

PHP_SELF can be leveraged to effect XSS attacks if the webserver is
configured to allow GET parameters embedded in the path. Write a script,
say /home/jim/public_html/inf.php:

<?php

phpinfo();

?>

The try accessing it with:

http://localhost/~jim/inf.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E%3Cblahblah

Look at the source - you'll see that script_name was not vulnerable.

C.

[Back to original message]