fortnox007 Posted February 5, 2011 Share Posted February 5, 2011 hi all i just read an article at http://www.phpro.org/tutorials/PHP-Security.html about not trusting server variables like $_SERVER['PHP_SELF'] so they explain, it can't be trusted and so on, but when it comes to a real life example i have difficulty understandig what someone could do with it since i assume it only has effect at client side. they use a form and say that <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> ... </form> They give as example that someone could do the following: add <script>alert("XSS HERE");</script> But i don't see how that would have effect to anyone except for the one that inserts that. Could someone maybe explain this a little to me. Link to comment https://forums.phpfreaks.com/topic/226744-filter-php_self/ Share on other sites More sharing options...
Porl123 Posted February 5, 2011 Share Posted February 5, 2011 You just need to encode the potentially harmful characters, such as double/single quotes, greater/less than symbols and ampersands using the htmlspecialchars function. Otherwise you're enabling the user to alter the HTML. http://www.exploit-db.com/exploits/10512/ http://uk2.php.net/manual/en/function.htmlspecialchars.php Link to comment https://forums.phpfreaks.com/topic/226744-filter-php_self/#findComment-1170114 Share on other sites More sharing options...
fortnox007 Posted February 5, 2011 Author Share Posted February 5, 2011 You just need to encode the potentially harmful characters, such as double/single quotes, greater/less than symbols and ampersands using the htmlspecialchars function. Otherwise you're enabling the user to alter the HTML. http://www.exploit-db.com/exploits/10512/ http://uk2.php.net/manual/en/function.htmlspecialchars.php Thanks for your quick reply,porl I am happy to do that, but it still leaves me mind goggling what someone could do to others besides himself. I am not willing to hack r anything, but I just have difficulty understandig this. Because the data doesn't get send to a database or anything it's just the action of the page. and if the page is not correct the action fails. -edit oh wait i see you linked some extra info, i am going to read that right away thank you. -edit 2 lol i read the first one and i think i am just not made for this, lol i think i am going to buy a book on this, because this is total abracadabra for me. Link to comment https://forums.phpfreaks.com/topic/226744-filter-php_self/#findComment-1170115 Share on other sites More sharing options...
spfoonnewb Posted February 5, 2011 Share Posted February 5, 2011 This is basically just XSS. It is client side. The problem is that someone else could send a user a malicious link to your site with potentially whatever code they want. The user will assume that it can be trusted because they trust your site. For example, lets say I use HTML instead of Javascript. I could push your form down, insert my own form, and then post the data to my own page - effectively collecting your users info. As stated above, you need to filter ALL dynamic variables. It doesn't necessarily have to do with the $_SERVER variable, just specific pieces. This is a decent explanation: http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) Link to comment https://forums.phpfreaks.com/topic/226744-filter-php_self/#findComment-1170116 Share on other sites More sharing options...
fortnox007 Posted February 5, 2011 Author Share Posted February 5, 2011 wicked that little explanation already gave me a headstart. Thanks alot! I'll certainly will sanitize everything, but i find things easier to remember ones i understand it. And because most explanation have that little 'xss here' snippet i never really understood what the fuzz was all about. Those sneaky people just send victims a link to a trusted site. Thanks guys for helping me understand this. Link to comment https://forums.phpfreaks.com/topic/226744-filter-php_self/#findComment-1170118 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.