mailing list archives
From: Paulino Calderon <paulino () calderonpale com>
Date: Mon, 30 May 2011 12:55:58 -0700
Correct. Lots of developers use $_SERVER["PHP_SELF"] to retrieve the
script's name without escaping it first not knowing that attackers can
tamper this variable.
Other examples are:
I'll submit a new script to scan for more generic cross site scripting
vulnerabilities after I make sure the crawling / parsing of all the
malformed documents out there works correctly ;)
On 05/30/2011 07:54 AM, Abuse007 wrote:
> If I'm not mistaken the script is not trying to exploit the php
parameters, such as data in your second example, but rather the PHP_SELF
variable which is set the the relative URL of the currently executing
script - including what comes after the php file.
> From the doco: -
> The filename of the currently executing script,relative to the
document root. For instance,$_SERVER['PHP_SELF'] in a script at the
addresshttp://example.com/test.php/foo.bar would be /test.php/foo.bar.
> See: -
> On 30/05/2011, at 11:07 PM, "Hans Nilsson"<hasse_gg () ftml net> wrote:
>> What about when only certain variables are vulnerable?
>> For example
>> may not work when
>> Or what about if only POST-data is vulnerable?
>> On Sun, 29 May 2011 03:04 -0700, "Paulino Calderon"
>> <paulino () calderonpale com> wrote:
>>> Hi everyone,
>>> I'm attaching my script 'http-phpself-xss', this script detects php
>>> files vulnerable to Phpself Cross Site Scripting(*) in a web server.
>>> First, the script crawls the webserver to list all php files and
>>> sends an attack probe to identify all vulnerable scripts.
>>> Feel free to test this script against my dummy app ->
>>> (*) Phpself Cross Site Scripting vulnerabilities refers to cross site
>>> scripting vulnerabilities caused by the lack of sanitation of the
>>> variable $_SERVER["PHP_SELF"] in PHP scripts/web applications.
>>> Paulino Calderón Pale
>>> Web: http://calderonpale.com
>>> Twitter: @paulinocaIderon
>>> Sent through the nmap-dev mailing list
>>> Archived at http://seclists.org/nmap-dev/
>>> Email had 1 attachment:
>>> + http-phpself-xss.nse
>>> 12k (text/plain)
>> Hans Nilsson
>> hasse_gg () ftml net
>> http://www.fastmail.fm - A no graphics, no pop-ups email service
>> Sent through the nmap-dev mailing list
>> Archived at http://seclists.org/nmap-dev/
> Sent through the nmap-dev mailing list
> Archived at http://seclists.org/nmap-dev/
Paulino Calderón Pale
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/
- http-phpself-xss Paulino Calderon (May 29)
- <Possible follow-ups>
- Re: http-phpself-xss Paulino Calderon (May 30)