Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

PHP and SCRIPT_NAME variable
From: Roman Medina-Heigl Hernandez <roman () rs-labs com>
Date: Mon, 20 Feb 2006 16:06:23 +0100

Hello,

Last week I was thinking about the possibility for an external attacker to
influence over the following PHP variable:
$_SERVER['SCRIPT_NAME']

The former variable contains the remote path (URI) to a PHP script, so if
for instance you access with a browser to:
http://<site>/aa/bb/cc/script.php
Then SCRIPT_NAME will contain "/aa/bb/cc/script.php"

I did some basic tests with PHP 4.3.10 and the implementation seems to be safe:
- For instance, if you access something like:
http://<site>/aa/bb/../dd/cc/script.php
Then SCRIPT_NAME will be "/aa/dd/cc/script.php"
instead of "/aa/bb/../dd/cc/script.php"
- If you try:
http://<site>/aa/bb/cc/script.php/something
or
http://<site>/aa/bb/cc/script.php?something
Then SCRIPT_NAME will contain "/aa/bb/cc/script.php"

My goal is to be able to add some attacker-specified string to the
variable. Two questions:
1) Do you know of any trick/method by which an attacker could alter
SCRIPT_NAME variable? (obviusly without having access to docroot directory
and/or edit httpd.conf)
2) Perhaps older PHP versions didn't sanitize SCRIPT_NAME variable
correctly and could be abused? Any idea?

TIA.

Cheers,
-Román
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • PHP and SCRIPT_NAME variable Roman Medina-Heigl Hernandez (Feb 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault