Comments on: Exploiting PHP SELF http://www.thespanner.co.uk/2008/01/14/exploiting-php-self/ A tool for designers dealing with programmers dealing with designers... Tue, 30 Sep 2008 23:39:24 +0000 http://wordpress.org/?v=2.6.2 By: nuntius http://www.thespanner.co.uk/2008/01/14/exploiting-php-self/#comment-1291 nuntius Wed, 27 Aug 2008 14:23:46 +0000 http://www.thespanner.co.uk/2008/01/14/exploiting-php-self/#comment-1291 Bipin, Busby is wrong, apparently he doesn't understand what this page is about... this is how you do it. Note however, that as this page is describing, this can be exploited. <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"> <!-- My Form --> </form> Check out this page also: http://www.gfx-depot.com/forum/-php-server-php-self-validation-t-1636.html Bipin, Busby is wrong, apparently he doesn’t understand what this page is about… this is how you do it. Note however, that as this page is describing, this can be exploited.

<form method=”post” action=”<?php echo $_SERVER['PHP_SELF']; ?>”>
<!– My Form –>
</form>

Check out this page also:
http://www.gfx-depot.com/forum/-php-server-php-self-validation-t-1636.html

]]> By: Busby SEO Challenge http://www.thespanner.co.uk/2008/01/14/exploiting-php-self/#comment-1282 Busby SEO Challenge Tue, 12 Aug 2008 03:31:01 +0000 http://www.thespanner.co.uk/2008/01/14/exploiting-php-self/#comment-1282 If you want to past variable on the same page you need to pass it by using GET statement. If you want to past variable on the same page you need to pass it by using GET statement.

]]> By: bipin http://www.thespanner.co.uk/2008/01/14/exploiting-php-self/#comment-1240 bipin Tue, 27 May 2008 08:13:09 +0000 http://www.thespanner.co.uk/2008/01/14/exploiting-php-self/#comment-1240 <form method=POST action="<?php echo $PHP_SELF;'SelectedState=$SelectedState' ?>" > in the above line i am trying to pass a variables value onto the same page but its not working can anyone suggest me the syntax <form method=POST action=”<?php echo $PHP_SELF;’SelectedState=$SelectedState’ ?>” >

in the above line i am trying to pass a variables value onto the same page but its not working can anyone suggest me the syntax

]]> By: Diego http://www.thespanner.co.uk/2008/01/14/exploiting-php-self/#comment-1075 Diego Tue, 15 Jan 2008 05:53:08 +0000 http://www.thespanner.co.uk/2008/01/14/exploiting-php-self/#comment-1075 the test 1 fails on PHP 5.2.4 without any special extension, etc The error I get is "Warning: Header may not contain more than a single header, new line detected. in /var/www/htdocs/php_self.php on line 4" The other 3 tests do work as expected. the test 1 fails on PHP 5.2.4 without any special extension, etc
The error I get is “Warning: Header may not contain more than a single header, new line detected. in /var/www/htdocs/php_self.php on line 4″
The other 3 tests do work as expected.

]]> By: Guillaume Rossolini http://www.thespanner.co.uk/2008/01/14/exploiting-php-self/#comment-1074 Guillaume Rossolini Mon, 14 Jan 2008 23:55:37 +0000 http://www.thespanner.co.uk/2008/01/14/exploiting-php-self/#comment-1074 Hi, You might want to escape the variable in header() by calling either urlencode(), and that should be enough. Please remember that each output medium has its proper escaping mechanism. The injection there happens mostly because you don't escape the output. Regards, Hi,
You might want to escape the variable in header() by calling either urlencode(), and that should be enough. Please remember that each output medium has its proper escaping mechanism. The injection there happens mostly because you don’t escape the output.
Regards,

]]> By: Stefan Esser http://www.thespanner.co.uk/2008/01/14/exploiting-php-self/#comment-1072 Stefan Esser Mon, 14 Jan 2008 20:51:27 +0000 http://www.thespanner.co.uk/2008/01/14/exploiting-php-self/#comment-1072 @Eric: There is noone to convince to fix this stuff. PHP_SELF is filled by the webserver. Apache supports PATH_INFO therefore this kind of path ends up in PHP_SELF. This problem is known for ages and still many sites are vulnerable to this... And well there is always the possibility to just install the Suhosin Extension and you are automatically secure from this kind of XSS. @Eric:
There is noone to convince to fix this stuff. PHP_SELF is filled by the webserver. Apache supports PATH_INFO therefore this kind of path ends up in PHP_SELF.

This problem is known for ages and still many sites are vulnerable to this…

And well there is always the possibility to just install the Suhosin Extension and you are automatically secure from this kind of XSS.

]]> By: Francesc Rosàs http://www.thespanner.co.uk/2008/01/14/exploiting-php-self/#comment-1071 Francesc Rosàs Mon, 14 Jan 2008 20:00:31 +0000 http://www.thespanner.co.uk/2008/01/14/exploiting-php-self/#comment-1071 @Eric: I didn't know it. Thanks! Luckily I don't use single quotes at HTML level. Anyway I'm gonna change my HTML escaping function to this: function eh ($string) { echo htmlspecialchars($string, ENT_QUOTES); } Being so essential, I don't understand why PHP doesn't have something like this built in. @Eric:
I didn’t know it. Thanks! Luckily I don’t use single quotes at HTML level.

Anyway I’m gonna change my HTML escaping function to this:

function eh ($string)
{
echo htmlspecialchars($string, ENT_QUOTES);
}

Being so essential, I don’t understand why PHP doesn’t have something like this built in.

]]> By: Eric Butera http://www.thespanner.co.uk/2008/01/14/exploiting-php-self/#comment-1070 Eric Butera Mon, 14 Jan 2008 15:58:41 +0000 http://www.thespanner.co.uk/2008/01/14/exploiting-php-self/#comment-1070 @Francesc: You need to use ENT_QUOTES as the second parameter just in case because by default ' will not be encoded. @Gareth: Thank you for the time for this post! Hopefully now this will be enough to convince the powers that be to fix this stuff. @Francesc:
You need to use ENT_QUOTES as the second parameter just in case because by default ‘ will not be encoded.

@Gareth:
Thank you for the time for this post! Hopefully now this will be enough to convince the powers that be to fix this stuff.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2008/01/14/exploiting-php-self/#comment-1069 Gareth Heyes Mon, 14 Jan 2008 15:52:07 +0000 http://www.thespanner.co.uk/2008/01/14/exploiting-php-self/#comment-1069 @Sean Yeah that's pretty bad, I know it isn't new but a reader asked me the question so it can't do any harm bringing the subject up again. @Sean

Yeah that’s pretty bad, I know it isn’t new but a reader asked me the question so it can’t do any harm bringing the subject up again.

]]> By: Sean Coates http://www.thespanner.co.uk/2008/01/14/exploiting-php-self/#comment-1068 Sean Coates Mon, 14 Jan 2008 15:41:33 +0000 http://www.thespanner.co.uk/2008/01/14/exploiting-php-self/#comment-1068 I blogged about this 2.5 years ago, here: http://blog.phpdoc.info/archives/13-XSS-Woes.html (-: S I blogged about this 2.5 years ago, here: http://blog.phpdoc.info/archives/13-XSS-Woes.html

(-:

S

]]>