Posted by Jim Carlock on 02/26/06 04:43

Jim Carlock wrote:

> And the subject... is one of the variables better than the other? One
> a wrapper to the other? Which one is the wrapper and which one
> is the final calling? Anyone know where to find such details? If there's
> a link available...
>
> $_SERVER['SCRIPT_NAME'] versus $_SERVER['PHP_SELF']
>
"Colin McKinnon" posted a reply:
> P_SELF can be leveraged to effect XSS attacks if the webserver
> is configured to allow GET parameters embedded in the path. Write
> a script, say /home/jim/public_html/inf.php:

<?php phpinfo(); ?>

> The try accessing it with:
> http://localhost/~jim/inf.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E%3Cblahblah
>
> Look at the source - you'll see that script_name was not vulnerable.

Okay, that specific example didn't reference $_SERVER['SCRIPT_NAME']
nor $_SERVER['PHP_SELF'].

Did you forget to include something?

I tested it out. phpinfo() reported the following:

----

Apache Environment Variables

PATH_INFO: /"><script>alert('hacked')</script><blahblah
REQUEST_URI: /test.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E%3Cblahblah

----

HTTP Headers Information

HTTP Request: GET /test.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E%3Cblahblah HTTP/1.1

It looks like that "script" depends upon some sort of CGI capability,
perhaps PHP.EXE configured into the PATH. Is that related to the
subject in some way ?

<g> You lost me there.

Jim Carlock
Post replies to the group.

[Back to original message]