xiao Posted December 14, 2007 Share Posted December 14, 2007 Hi, I've used the Acunetix scanner to check for vulnerabilities, and it outputs that my $_SERVER['PHP_SELF'] isn't validated. I tried to filter it for special characters, but doesn't PHP_SELf always use special characters? (:,/,.) How do I filter it? Thank you. Quote Link to comment Share on other sites More sharing options...
phpSensei Posted December 14, 2007 Share Posted December 14, 2007 You don't validate a $_SERVER['PHP_SELF']; var. Quote Link to comment Share on other sites More sharing options...
xiao Posted December 14, 2007 Author Share Posted December 14, 2007 Why does Acunetix report this then? Cross Site Scripting in URI ... This XSS variant usually appears when a PHP script is using one of following variables without filtering them: PHP_SELF REQUEST_URI SCRIPT_URL SCRIPT_URI ... This vulnerability affects /league/matches.php/>"><ScRiPt>alert(1674394882)%3B</ScRiPt>. Quote Link to comment Share on other sites More sharing options...
phpSensei Posted December 14, 2007 Share Posted December 14, 2007 Why does Acunetix report this then? Cross Site Scripting in URI ... This XSS variant usually appears when a PHP script is using one of following variables without filtering them: PHP_SELF REQUEST_URI SCRIPT_URL SCRIPT_URI ... This vulnerability affects /league/matches.php/>"><ScRiPt>alert(1674394882)%3B</ScRiPt>. That means the URL is vulnerable to XSS. use this function strip_tags($URL); You should be fine. Quote Link to comment Share on other sites More sharing options...
xiao Posted December 14, 2007 Author Share Posted December 14, 2007 so strip_tags($_SERVER['PHP_SELF']) ? Quote Link to comment Share on other sites More sharing options...
phpSensei Posted December 14, 2007 Share Posted December 14, 2007 so strip_tags($_SERVER['PHP_SELF']) ? Okay I will break this down for you. Lets say you have a HTTP VAR (Http://www.site.com/?var=ThisIstVulnerable) Now when you do something like <?php $url = $_GET['var']; $url = strip_tags($url); // Removes any HTML in the URL ?> You use it only when you get data from the URL.... XSS http://www.cgisecurity.com/articles/xss-faq.shtml Quote Link to comment Share on other sites More sharing options...
xiao Posted December 14, 2007 Author Share Posted December 14, 2007 ok, thank you Quote Link to comment Share on other sites More sharing options...
phpSensei Posted December 14, 2007 Share Posted December 14, 2007 ok, thank you I am sorry, I am just not good at giving lessons. Read the article I just posted for you. Your welcome. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted December 14, 2007 Share Posted December 14, 2007 Unfortunately, $_SERVER['PHP_SELF'] can be used for XSS and it should not be used where it is echoed out to the browser - http://blog.phpdoc.info/archives/13-XSS-Woes.html http://www.mc2design.com/blog/php_self-you-little-rascal http://www.buayacorp.com/files/wordpress/wordpress-advisory.txt Quote Link to comment Share on other sites More sharing options...
xiao Posted December 15, 2007 Author Share Posted December 15, 2007 Thank you basename($_SERVER[’SCRIPT_FILENAME’]) seems to work just fine too Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.