Jump to content

PHP $_SERVER['PHP_SELF'] vulnerability


ala888
 Share

Recommended Posts

Hello!I don't exactly understand how the vulnerability of injection for the $_SERVER['PHP_SELF'] works.

I've looked at multiple other threads; but what I don't understand is, since the php file is running server side,

how is it even physically possible for the client to alter the value of "$_SERVER['PHP_SELF']" by changing the url in his browser? The command essentially pulls up a list of files from server root and scans through their names. It doesn't check client side url address box! Therefore, anything the user types shouldn't effect the website itself, since the form "$_SERVER['PHP_SELF']" part is deriving its value way back from the server itself.

 

 

thanks for the help!

Link to comment
Share on other sites

There's a description about the injection vulnerability here:http://www.dzhang.com/blog/2013/05/20/php_self-and-cross-site-scripting

how is it even physically possible for the client to alter the value of "$_SERVER['PHP_SELF']" by changing the url in his browser?

You answered your own question - they change the URL.

The command essentially pulls up a list of files

No it doesn't, the value comes from the request headers, which is client-side data. It does not validate it against an actual file. If it did, URL rewriting would not work.
Link to comment
Share on other sites

Thanks to justsomeguy, I just learnt new thing now :)

 

Now the PHP_SELF fetch URL from the address bar, if am using something like

<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post"><input type="text" name="" /></form>

and in the address bar I add this (assuming my file is test.php)

test.php/" <script>alert('hello');</script>

Check the ouput now :)

Link to comment
Share on other sites

well then, if it came from there, why would it execute the same php even though the url is different? wont their attempt at modifying url just lead them into a 404 error?

Did you try the example in the article? You can even try it on this forum, add the extra text to the end of index.php and see if it shows a 404 or if it still loads index.php.
Link to comment
Share on other sites

K I understand now. But I have a question to why ['php_self'] grabs its value from the client-side sent request instead of directly from the webserver directory. Seems a bitter counter-intuitive to me; unless of course, there is some inherent benefit to the procedure - please enlighten me.Also, is there another superglobal that does grab its value directly from the web server directory, as an enhanced replacement for ['php_self']

Link to comment
Share on other sites

But I have a question to why ['php_self'] grabs its value from the client-side sent request instead of directly from the webserver directory.

Because that is specifically what PHP_SELF is for. If you want the full local filesystem path to the executing file, use the __FILE__ constant. Otherwise, maybe create a phpinfo page or test page that prints all of $_SERVER and see what's available. Or, check the PHP manual, it describes the $_SERVER array.
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...