xiao Posted December 14, 2007 Share Posted December 14, 2007 Hi, I've used the Acunetix scanner to check for vulnerabilities, and it outputs that my $_SERVER['PHP_SELF'] isn't validated. I tried to filter it for special characters, but doesn't PHP_SELf always use special characters? (:,/,.) How do I filter it? Thank you. Link to comment https://forums.phpfreaks.com/topic/81728-solved-php_self-validation/ Share on other sites More sharing options...
phpSensei Posted December 14, 2007 Share Posted December 14, 2007 You don't validate a $_SERVER['PHP_SELF']; var. Link to comment https://forums.phpfreaks.com/topic/81728-solved-php_self-validation/#findComment-415127 Share on other sites More sharing options...
xiao Posted December 14, 2007 Author Share Posted December 14, 2007 Why does Acunetix report this then? Cross Site Scripting in URI ... This XSS variant usually appears when a PHP script is using one of following variables without filtering them: PHP_SELF REQUEST_URI SCRIPT_URL SCRIPT_URI ... This vulnerability affects /league/matches.php/>"><ScRiPt>alert(1674394882)%3B</ScRiPt>. Link to comment https://forums.phpfreaks.com/topic/81728-solved-php_self-validation/#findComment-415138 Share on other sites More sharing options...
phpSensei Posted December 14, 2007 Share Posted December 14, 2007 Why does Acunetix report this then? Cross Site Scripting in URI ... This XSS variant usually appears when a PHP script is using one of following variables without filtering them: PHP_SELF REQUEST_URI SCRIPT_URL SCRIPT_URI ... This vulnerability affects /league/matches.php/>"><ScRiPt>alert(1674394882)%3B</ScRiPt>. That means the URL is vulnerable to XSS. use this function strip_tags($URL); You should be fine. Link to comment https://forums.phpfreaks.com/topic/81728-solved-php_self-validation/#findComment-415139 Share on other sites More sharing options...
xiao Posted December 14, 2007 Author Share Posted December 14, 2007 so strip_tags($_SERVER['PHP_SELF']) ? Link to comment https://forums.phpfreaks.com/topic/81728-solved-php_self-validation/#findComment-415151 Share on other sites More sharing options...
phpSensei Posted December 14, 2007 Share Posted December 14, 2007 so strip_tags($_SERVER['PHP_SELF']) ? Okay I will break this down for you. Lets say you have a HTTP VAR (Http://www.site.com/?var=ThisIstVulnerable) Now when you do something like <?php $url = $_GET['var']; $url = strip_tags($url); // Removes any HTML in the URL ?> You use it only when you get data from the URL.... XSS http://www.cgisecurity.com/articles/xss-faq.shtml Link to comment https://forums.phpfreaks.com/topic/81728-solved-php_self-validation/#findComment-415177 Share on other sites More sharing options...
xiao Posted December 14, 2007 Author Share Posted December 14, 2007 ok, thank you Link to comment https://forums.phpfreaks.com/topic/81728-solved-php_self-validation/#findComment-415179 Share on other sites More sharing options...
phpSensei Posted December 14, 2007 Share Posted December 14, 2007 ok, thank you I am sorry, I am just not good at giving lessons. Read the article I just posted for you. Your welcome. Link to comment https://forums.phpfreaks.com/topic/81728-solved-php_self-validation/#findComment-415188 Share on other sites More sharing options...
PFMaBiSmAd Posted December 14, 2007 Share Posted December 14, 2007 Unfortunately, $_SERVER['PHP_SELF'] can be used for XSS and it should not be used where it is echoed out to the browser - http://blog.phpdoc.info/archives/13-XSS-Woes.html http://www.mc2design.com/blog/php_self-you-little-rascal http://www.buayacorp.com/files/wordpress/wordpress-advisory.txt Link to comment https://forums.phpfreaks.com/topic/81728-solved-php_self-validation/#findComment-415201 Share on other sites More sharing options...
xiao Posted December 15, 2007 Author Share Posted December 15, 2007 Thank you basename($_SERVER[’SCRIPT_FILENAME’]) seems to work just fine too Link to comment https://forums.phpfreaks.com/topic/81728-solved-php_self-validation/#findComment-415552 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.