Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: http-phpself-xss
From: Abuse007 <abuse007 () gmail com>
Date: Tue, 31 May 2011 00:54:11 +1000

If I'm not mistaken the script is not trying to exploit the php parameters, such as data in your second example, but 
rather the PHP_SELF variable which is set the the relative URL of the currently executing script - including what comes 
after the php file. 

From the doco: -

The filename of the currently executing script,relative to the document root. For instance,$_SERVER['PHP_SELF'] in a 
script at the addresshttp://example.com/test.php/foo.bar would be /test.php/foo.bar.



See: -
http://spotthevuln.com/2009/10/privilege-escalation-one-damn-thing/

Cheers



On 30/05/2011, at 11:07 PM, "Hans Nilsson" <hasse_gg () ftml net> wrote:

What about when only certain variables are vulnerable?

For example
example.com/test.php?<script>alert(1)</script>
may not work when 
example.com/test.php?data=<script>alert(1)</script>
works.

Or what about if only POST-data is vulnerable?

/Hans


On Sun, 29 May 2011 03:04 -0700, "Paulino Calderon"
<paulino () calderonpale com> wrote:
Hi everyone,

I'm attaching my script 'http-phpself-xss', this script detects php 
files vulnerable to Phpself Cross Site Scripting(*) in a web server.

First, the script crawls the webserver to list all php files and then it 
sends an attack probe to identify all vulnerable scripts.

Feel free to test this script against my dummy app -> 
http://calder0n.com/sillyapp/

(*) Phpself Cross Site Scripting vulnerabilities refers to cross site 
scripting vulnerabilities caused by the lack of sanitation of the 
variable $_SERVER["PHP_SELF"] in PHP scripts/web applications.

Cheers.

-- 
Paulino Calderón Pale
Web: http://calderonpale.com
Twitter: @paulinocaIderon


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Email had 1 attachment:
+ http-phpself-xss.nse
 12k (text/plain)
-- 
 Hans Nilsson
 hasse_gg () ftml net

-- 
http://www.fastmail.fm - A no graphics, no pop-ups email service

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]