ala888 Posted July 1, 2014 Share Posted July 1, 2014 Hello!I don't exactly understand how the vulnerability of injection for the $_SERVER['PHP_SELF'] works. I've looked at multiple other threads; but what I don't understand is, since the php file is running server side, how is it even physically possible for the client to alter the value of "$_SERVER['PHP_SELF']" by changing the url in his browser? The command essentially pulls up a list of files from server root and scans through their names. It doesn't check client side url address box! Therefore, anything the user types shouldn't effect the website itself, since the form "$_SERVER['PHP_SELF']" part is deriving its value way back from the server itself. thanks for the help! Link to comment Share on other sites More sharing options...
justsomeguy Posted July 1, 2014 Share Posted July 1, 2014 There's a description about the injection vulnerability here:http://www.dzhang.com/blog/2013/05/20/php_self-and-cross-site-scripting how is it even physically possible for the client to alter the value of "$_SERVER['PHP_SELF']" by changing the url in his browser?You answered your own question - they change the URL.The command essentially pulls up a list of filesNo it doesn't, the value comes from the request headers, which is client-side data. It does not validate it against an actual file. If it did, URL rewriting would not work. Link to comment Share on other sites More sharing options...
ala888 Posted July 1, 2014 Author Share Posted July 1, 2014 >the value comes from the request headers well then, if it came from there, why would it execute the same php even though the url is different? wont their attempt at modifying url just lead them into a 404 error? Link to comment Share on other sites More sharing options...
Don Jajo Posted July 2, 2014 Share Posted July 2, 2014 Thanks to justsomeguy, I just learnt new thing now Now the PHP_SELF fetch URL from the address bar, if am using something like <form action="<?php echo $_SERVER['PHP_SELF']?>" method="post"><input type="text" name="" /></form> and in the address bar I add this (assuming my file is test.php) test.php/" <script>alert('hello');</script> Check the ouput now Link to comment Share on other sites More sharing options...
justsomeguy Posted July 2, 2014 Share Posted July 2, 2014 well then, if it came from there, why would it execute the same php even though the url is different? wont their attempt at modifying url just lead them into a 404 error?Did you try the example in the article? You can even try it on this forum, add the extra text to the end of index.php and see if it shows a 404 or if it still loads index.php. Link to comment Share on other sites More sharing options...
ala888 Posted July 3, 2014 Author Share Posted July 3, 2014 K I understand now. But I have a question to why ['php_self'] grabs its value from the client-side sent request instead of directly from the webserver directory. Seems a bitter counter-intuitive to me; unless of course, there is some inherent benefit to the procedure - please enlighten me.Also, is there another superglobal that does grab its value directly from the web server directory, as an enhanced replacement for ['php_self'] Link to comment Share on other sites More sharing options...
Don Jajo Posted July 3, 2014 Share Posted July 3, 2014 Am doubting you read that article $_SERVER['SCRIPT_NAME'] Link to comment Share on other sites More sharing options...
justsomeguy Posted July 3, 2014 Share Posted July 3, 2014 But I have a question to why ['php_self'] grabs its value from the client-side sent request instead of directly from the webserver directory.Because that is specifically what PHP_SELF is for. If you want the full local filesystem path to the executing file, use the __FILE__ constant. Otherwise, maybe create a phpinfo page or test page that prints all of $_SERVER and see what's available. Or, check the PHP manual, it describes the $_SERVER array. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now