Home page logo

fulldisclosure logo Full Disclosure mailing list archives

PHP and SCRIPT_NAME variable
From: Roman Medina-Heigl Hernandez <roman () rs-labs com>
Date: Mon, 20 Feb 2006 16:06:23 +0100


Last week I was thinking about the possibility for an external attacker to
influence over the following PHP variable:

The former variable contains the remote path (URI) to a PHP script, so if
for instance you access with a browser to:
Then SCRIPT_NAME will contain "/aa/bb/cc/script.php"

I did some basic tests with PHP 4.3.10 and the implementation seems to be safe:
- For instance, if you access something like:
Then SCRIPT_NAME will be "/aa/dd/cc/script.php"
instead of "/aa/bb/../dd/cc/script.php"
- If you try:
Then SCRIPT_NAME will contain "/aa/bb/cc/script.php"

My goal is to be able to add some attacker-specified string to the
variable. Two questions:
1) Do you know of any trick/method by which an attacker could alter
SCRIPT_NAME variable? (obviusly without having access to docroot directory
and/or edit httpd.conf)
2) Perhaps older PHP versions didn't sanitize SCRIPT_NAME variable
correctly and could be abused? Any idea?


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • PHP and SCRIPT_NAME variable Roman Medina-Heigl Hernandez (Feb 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]