Serg Belokamen wrote:
> I am quiet sure you can't exploit $_SERVER["SCRIPT_NAME"] variable
> unless there is a buffer overflow or something, but then again you
> would be limited by the size of data allowed withing GET request... So
> doubt you get anything evil out of that.
I also talked privately with other folks like FX and Steffan Esser. They
told me both that the normalization of that variable (amongst others, I
suppose) depends on the web server being used. I only had time to do some
quick tests with Apache 1.3.x and Apache 2.0.x, and they result the same
(for instance, "/dir1/../dir2/script.php" gets normalized to
"/dir2/script.php"). Have somebody done similar tests and noted different
behaviours between different web servers? Examples?
> However if you swap yoru example from:
>
> $_SERVER["SCRIPT_NAME"]
>
> to
>
> $_SERVER["PHP_SELF"]
Yes, I know. If the variable in question was PHP_SELF, the game would be
over and I'd have my "problem" solved. But unfortunately it's not the case.
--
Saludos,
-Roman
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]
Received on Feb 23 2006
Intro
