<a href="http://g.adspeed.net/ad.php?do=clk&zid=14678&wd=728&ht=90&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=14678&wd=728&ht=90&pair=as" alt="i" width="728" height="90"/></a>

Nmap Security Scanner

Docs
Security Lists

Full Disclosure

More
Security Tools

Packet crafters

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

edgeos

Vulnerability Development: Re: PHP and SCRIPT_NAME variable

Re: PHP and SCRIPT_NAME variable

From: <contact_at_eder-harald.com>
Date: 21 Feb 2006 22:00:18 -0000

('binary' encoding is not supported, stored as-is) Hi,

as far as I know the elements of the $_SERVER array are filled by the webserver and therefore a manipulation through a php trick might by difficult.

>From my opinion it will be easier to alter this values through a trick on the webserver for instance by using a bug in Apache but I do not know about any which might do this.

Anyway, its quite a interesting point of view because many php scripts use the $_SERVER['REMOTE_ADDR'] value for their session management und maybe some other array items too.

But it would be also quite interesting if php uses the items of this array to do something or if its just an array with no effect for the php scripts. Does anybody know more about this?
Received on Feb 21 2006

This message: [ Message body ]
Next message: Harald Eder: "Re: PHP and SCRIPT_NAME variable"
Previous message: Mike Davis: "Re: shellcoding on gentoo"
Maybe in reply to: Roman Medina-Heigl Hernandez: "PHP and SCRIPT_NAME variable"
Next in thread: Harald Eder: "Re: PHP and SCRIPT_NAME variable"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]

edgeos