1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Food for thought... [PHP security]

Discussion in 'HGP Archive' started by Dj_Jestar, 25 Oct 2005.

  1. Dj_Jestar

    Caporegime

    Joined: 18 Oct 2002

    Posts: 28,817

    Location: Back in East London

  2. Gman

    Mobster

    Joined: 18 Oct 2002

    Posts: 4,562

    nice :)

    well you can still use it and in alot of cases its needed, you've just got to remember to wrap it in htmlentities to cover your arse.
     
  3. Beansprout

    Man of Honour

    Joined: 31 Jan 2004

    Posts: 16,312

    Location: Plymouth

    SCRIPT_PATH be the solution then - but an interesting read, especially this comment:

     
  4. Dj_Jestar

    Caporegime

    Joined: 18 Oct 2002

    Posts: 28,817

    Location: Back in East London

    After some tests, it appears $_SERVER['SCRIPT_NAME'] is immune to this exact attack, but if some of the $_SERVER indices can be 'infected' then there will be a way to get them all :)
     
  5. AS_Platinum

    Wise Guy

    Joined: 5 Jun 2004

    Posts: 1,317

    Location: Hythe, Hants

    Nothing unusual happens here whatsoever, just get 'The Page Cannot be found' error. O/S specific???

    Am using IIS as dev server
     
  6. lookitsjonno

    Mobster

    Joined: 10 Sep 2003

    Posts: 4,275

    Location: Midlands

    much of the $_SERVER superglobal can be spoofed anyway so one more wont hurt.

    it's just the a case of looping through the $_SERVER superglobal and running each entry through urldecode() and then htmlentities().
     
  7. Dj_Jestar

    Caporegime

    Joined: 18 Oct 2002

    Posts: 28,817

    Location: Back in East London

    This is a 'flaw' with PHP, thus it is a problem across all platforms and webservers.

    jonno - using urldecode on input is a very touchy subject, as pointed out in one of the comments on the Reserved Variables page on php.net :)
     
  8. Felix

    Mobster

    Joined: 25 Jan 2003

    Posts: 2,702

    What am I missing?
     
  9. Dj_Jestar

    Caporegime

    Joined: 18 Oct 2002

    Posts: 28,817

    Location: Back in East London

    que?

    If you mean you can't see the problem, basically it's an injection attack where the attacker could inject pretty much whatever they want onto your site, via a loophole in the superglobal $_SERVER['PHP_SELF'].