PHP self return of the slash

Not posted for a while because I couldn’t think of anything interesting to say but I thought about something I found ages ago in PHP4 and it’s been long enough now. This is also quite funny because my server is vulnerable to this (that’s what I get for crappy hosting).

So what happens if you escape PHP_SELF with htmlentities($_SERVER['PHP_SELF'], ENT_QUOTES)? Safe from XSS? I hope so. Safe from everything? Well not really or at least it didn’t used to be. You see PHP does some crazy things with the URL and it’s possible to change a form target to an external URL without using any unsafe characters. Take the following example:-

Login form

This form simulates some web application login and uses PHP_SELF to output the URL because for some reason the developer doesn’t want to type “login.php” or use __FILE___. The URL is escaped from XSS but we can change the form target by simply supplying slashes :) e.g.

Sending Google your password So the user enters their username and password combination and thinks that they are logging on to the target application in reality you are sending the details to a evil site.

I checked PHP5 and it seemed ok but this will serve as a reminder that the slash can get you.

2 Responses to “PHP self return of the slash”

  1. aj writes:

    can get a try to the example page ?
    or is a honey pot ~_~?

  2. Jan! writes:

    I honestly don’t understand why TBL and Fielding did this. I did not know about this behaviour; I thought any URI that did not start with a scheme, was a relative URI.

    (Note to others looking for the authoritative definition: see appendix C of http://www.ietf.org/rfc/rfc2396.txt for an example.)

    That said, it does allow for some neat micro-optimisation for page weight weenies.