Jump to content

[SOLVED] PHP_SELF validation

xiao

By xiao
in PHP Coding Help

 Share

Recommended Posts

xiao Member

xiao

Posted
  • Author
Posted

Why does Acunetix report this then?

 

Cross Site Scripting in URI

...

This XSS variant usually appears when a PHP script is using one of following variables without filtering them:

PHP_SELF

REQUEST_URI

SCRIPT_URL

SCRIPT_URI

...

This vulnerability affects /league/matches.php/>"><ScRiPt>alert(1674394882)%3B</ScRiPt>.

phpSensei Advanced Member

phpSensei

Posted
Posted

Why does Acunetix report this then?

 

Cross Site Scripting in URI

...

This XSS variant usually appears when a PHP script is using one of following variables without filtering them:

PHP_SELF

REQUEST_URI

SCRIPT_URL

SCRIPT_URI

...

This vulnerability affects /league/matches.php/>"><ScRiPt>alert(1674394882)%3B</ScRiPt>.

 

That means the URL is vulnerable to XSS.

 

 

use this function strip_tags($URL);

 

 

You should be fine.

phpSensei Advanced Member

phpSensei

Posted
Posted

so 

strip_tags($_SERVER['PHP_SELF'])

?

 

Okay I will break this down for you.

 

Lets say you have a HTTP VAR (Http://www.site.com/?var=ThisIstVulnerable)

 

Now when you do something like

 

<?php

$url = $_GET['var']; 
$url = strip_tags($url); // Removes any HTML in the URL


?>

 

You use it only when you get data from the URL....

 

 

XSS

 

http://www.cgisecurity.com/articles/xss-faq.shtml

 

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Unfortunately, $_SERVER['PHP_SELF'] can be used for XSS and it should not be used where it is echoed out to the browser -

 

http://blog.phpdoc.info/archives/13-XSS-Woes.html

 

http://www.mc2design.com/blog/php_self-you-little-rascal

 

http://www.buayacorp.com/files/wordpress/wordpress-advisory.txt

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.