PHP $_SERVER['PHP_SELF'] vulnerability

[ala888]

Hello!I don't exactly understand how the vulnerability of injection for the $_SERVER['PHP_SELF'] works.

I've looked at multiple other threads; but what I don't understand is, since the php file is running server side,

how is it even physically possible for the client to alter the value of "$_SERVER['PHP_SELF']" by changing the url in his browser? The command essentially pulls up a list of files from server root and scans through their names. It doesn't check client side url address box! Therefore, anything the user types shouldn't effect the website itself, since the form "$_SERVER['PHP_SELF']" part is deriving its value way back from the server itself.

 

 

thanks for the help!

[justsomeguy]

There's a description about the injection vulnerability here:http://www.dzhang.com/blog/2013/05/20/php_self-and-cross-site-scripting

how is it even physically possible for the client to alter the value of "$_SERVER['PHP_SELF']" by changing the url in his browser?

You answered your own question - they change the URL.

The command essentially pulls up a list of files

No it doesn't, the value comes from the request headers, which is client-side data. It does not validate it against an actual file. If it did, URL rewriting would not work.

[ala888]

>the value comes from the request headers

 

well then, if it came from there, why would it execute the same php even though the url is different? wont their attempt at modifying url just lead them into a 404 error?

[Don Jajo]

Thanks to justsomeguy, I just learnt new thing now

 

Now the PHP_SELF fetch URL from the address bar, if am using something like

<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post"><input type="text" name="" /></form>

and in the address bar I add this (assuming my file is test.php)

test.php/" <script>alert('hello');</script>

Check the ouput now

[justsomeguy]

well then, if it came from there, why would it execute the same php even though the url is different? wont their attempt at modifying url just lead them into a 404 error?

Did you try the example in the article? You can even try it on this forum, add the extra text to the end of index.php and see if it shows a 404 or if it still loads index.php.

[ala888]

K I understand now. But I have a question to why ['php_self'] grabs its value from the client-side sent request instead of directly from the webserver directory. Seems a bitter counter-intuitive to me; unless of course, there is some inherent benefit to the procedure - please enlighten me.Also, is there another superglobal that does grab its value directly from the web server directory, as an enhanced replacement for ['php_self']

[Don Jajo]

Am doubting you read that article

 

$_SERVER['SCRIPT_NAME']

[justsomeguy]

But I have a question to why ['php_self'] grabs its value from the client-side sent request instead of directly from the webserver directory.

Because that is specifically what PHP_SELF is for. If you want the full local filesystem path to the executing file, use the __FILE__ constant. Otherwise, maybe create a phpinfo page or test page that prints all of $_SERVER and see what's available. Or, check the PHP manual, it describes the $_SERVER array.