Are the XSS / Cross Site Scripting attacks fixed in Version 4.44?
I'm seeing that $_SERVER['PHP_SELF'] doesn't return the
$_SERVER['HTTP_QUERYSTRI NG'] appended to it.
I was just messing with a few things and noticed that PHP_SELF
returns only the page name now and without the $_GET query... http://blog.phpdoc.info/archives/13-XSS-Woes.html
Any comments on this are appreciated.
Thanks.
--
Jim Carlock
Post replies to the group. 4 5672
Hi,
When using PHP_SELF, I would suggest encoding it appropriately. For
instance:
<form action="<?= htmlentities($_ SERVER['PHP_SELF'], ENT_QUOTES)
?>">
In a request to /home.php/a/b/c/d?p=q, your variables would usually be:
REQUEST_URI: /home.php/a/b/c/d?p=q
SCRIPT_NAME: /home.php
PATH_INFO: /a/b/c/d
QUERY_STRING: p=q
PHP_SELF: /home.php/a/b/c/d
An inbound link could put some unsafe code in the PATH_INFO part, so
it's good to encode it when outputting it as HTML.
Jim Carlock wrote:
Are the XSS / Cross Site Scripting attacks fixed in Version 4.44?
I'm seeing that $_SERVER['PHP_SELF'] doesn't return the
$_SERVER['HTTP_QUERYSTRI NG'] appended to it.
I was just messing with a few things and noticed that PHP_SELF
returns only the page name now and without the $_GET query...
http://blog.phpdoc.info/archives/13-XSS-Woes.html
Any comments on this are appreciated.
Thanks.
--
Jim Carlock
Post replies to the group.
Jim Carlock wrote...
: After messing with a few things I noticed 'PHP_SELF'
: returns the page name without the $_GET query strings...
:
: http://blog.phpdoc.info/archives/13-XSS-Woes.html
"petersprc" stated...
: When using PHP_SELF, I would suggest encoding it appropriately.
: For instance:
:
: <form action="<?= htmlentities($_ SERVER['PHP_SELF'], ENT_QUOTES) ?>">
:
: In a request to /home.php/a/b/c/d?p=q, your variables would usually
: be:
:
: REQUEST_URI: /home.php/a/b/c/d?p=q
: SCRIPT_NAME: /home.php
: PATH_INFO: /a/b/c/d
: QUERY_STRING: p=q
: PHP_SELF: /home.php/a/b/c/d
:
: An inbound link could put some unsafe code in the PATH_INFO
: part, so it's good to encode it when outputting it as HTML.
Good information. Thanks Peter. Maybe it was an Apache bug fixed
by Apache 1.3.37?
Another thing that occurs, PHP_ERR.LOG files show up when
the temporary directory gets deleted, in other words when the
temporary folder goes bye bye, "php_err.lo g" files start appearing
in the folders of the website which uses $_SESSION variables.
I'm working with PHP 4.4.4 and Apache 1.3.37 (Windows).
Comments are appreciated.
Thanks.
--
Jim Carlock
You are right that PHP_SELF doesn't include any of the query part. But
still, outputting an unsanitized PHP_SELF would be a problem and could
lead to an XSS vulnerability, because the client can usually include
arbitrary text in the PATH_INFO part. If you use htmlentities, it
should pretty much address that potential problem.
Jim Carlock wrote:
Jim Carlock wrote...
: After messing with a few things I noticed 'PHP_SELF'
: returns the page name without the $_GET query strings...
:
: http://blog.phpdoc.info/archives/13-XSS-Woes.html
"petersprc" stated...
: When using PHP_SELF, I would suggest encoding it appropriately.
: For instance:
:
: <form action="<?= htmlentities($_ SERVER['PHP_SELF'], ENT_QUOTES) ?>">
:
: In a request to /home.php/a/b/c/d?p=q, your variables would usually
: be:
:
: REQUEST_URI: /home.php/a/b/c/d?p=q
: SCRIPT_NAME: /home.php
: PATH_INFO: /a/b/c/d
: QUERY_STRING: p=q
: PHP_SELF: /home.php/a/b/c/d
:
: An inbound link could put some unsafe code in the PATH_INFO
: part, so it's good to encode it when outputting it as HTML.
Good information. Thanks Peter. Maybe it was an Apache bug fixed
by Apache 1.3.37?
Another thing that occurs, PHP_ERR.LOG files show up when
the temporary directory gets deleted, in other words when the
temporary folder goes bye bye, "php_err.lo g" files start appearing
in the folders of the website which uses $_SESSION variables.
I'm working with PHP 4.4.4 and Apache 1.3.37 (Windows).
Comments are appreciated.
Thanks.
--
Jim Carlock
Description of PHP_SELF: http://blog.phpdoc.info/archives/13-XSS-Woes.html
petersprc wrote:
You are right that PHP_SELF doesn't include any of the query part. But
still, outputting an unsanitized PHP_SELF would be a problem and could
lead to an XSS vulnerability, because the client can usually include
arbitrary text in the PATH_INFO part. If you use htmlentities, it
should pretty much address that potential problem.
Jim Carlock wrote:
Jim Carlock wrote...
: After messing with a few things I noticed 'PHP_SELF'
: returns the page name without the $_GET query strings...
:
: http://blog.phpdoc.info/archives/13-XSS-Woes.html
"petersprc" stated...
: When using PHP_SELF, I would suggest encoding it appropriately.
: For instance:
:
: <form action="<?= htmlentities($_ SERVER['PHP_SELF'], ENT_QUOTES) ?>">
:
: In a request to /home.php/a/b/c/d?p=q, your variables would usually
: be:
:
: REQUEST_URI: /home.php/a/b/c/d?p=q
: SCRIPT_NAME: /home.php
: PATH_INFO: /a/b/c/d
: QUERY_STRING: p=q
: PHP_SELF: /home.php/a/b/c/d
:
: An inbound link could put some unsafe code in the PATH_INFO
: part, so it's good to encode it when outputting it as HTML.
Good information. Thanks Peter. Maybe it was an Apache bug fixed
by Apache 1.3.37?
Another thing that occurs, PHP_ERR.LOG files show up when
the temporary directory gets deleted, in other words when the
temporary folder goes bye bye, "php_err.lo g" files start appearing
in the folders of the website which uses $_SESSION variables.
I'm working with PHP 4.4.4 and Apache 1.3.37 (Windows).
Comments are appreciated.
Thanks.
--
Jim Carlock
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Salve Håkedal |
last post by:
When I select Februar here and sends, selection returns to Januar.
I know why: no option is marked selected...
But can php get this right in an easy way?
<html><head><title>Part of a bigger page</title></head>
<?php
$form ="
<form action=\"$_SERVER\" method=\"post\">
<select name=obs_mnd>
<option value=\"Jan\">Januar</option>
<option value=\"Feb\">Februar</option>
|
by: deko |
last post by:
I'm trying to identify which named anchor is currently being viewed on a
page. Although the address bar of my browser shows #whatever appended to
the end of the url, I can't seem to find it in a variable.
My efforts below return no value for ANYTHING except . Am I missing
something?
$url = parse_url($_SERVER);
$scheme = ($url);
|
by: Joshua Beall |
last post by:
Hi All,
What is the difference between $_SERVER and
$_SERVER, and which is better to use?
According to the CGI 1.1 spec (http://hoohoo.ncsa.uiuc.edu/cgi/env.html),
SCRIPT_NAME is not something specific to Apache (if I understand that
correctly). But where does PHP_SELF come from? What creates that?
According to http://php.net/reserved.variables, PHP has no control over the
$_SERVER array. Quote:
|
by: tHatDudeUK |
last post by:
My form action code to submit values to itself have stopped working using
the code
form action = <?=$_SERVER?>
This code used to work
My web host recently told me they enabled phpsuexec option in apache which
apparently needs me to CHMOD my PHP page to 750 and the directory to 755. (I
don't know what this means but know how to CHMOD files). I have CHMODed the
|
by: Michael Brennan-White |
last post by:
If I submit my for using a get action the resulting page loads . If I
use a post action I get an error page saying "The page cannot be
found". I am calling the originating page!!! This happens in IE as
well as FireFox.
This code has been tested on a Win2003 server, IIS6, PHP 5.0.3, mySQL
4.1.8 and it works fine.
The problem server is a Win2k server, IIS5, PHP 5.0.4, mySQL 4.1.11.
| |
by: Jim Carlock |
last post by:
Looking for a way to extract the path from the pfqpn (partially
full qualified path name).
$sThisServer = $_SERVER;
// returns either aquaticcreationsnc.com or www.aquaticcreationsnc.com
$sThisServer = $_SERVER;
// returns aquaticcreationsnc.com whether or not the end-user typed
// in the preceding www.
|
by: Dynamo |
last post by:
I am using values stored an $_POST array to display records from a table before
asking the user if he is sure he wants to delete them. If the user confirms then
the records are deleted. Without boring you with all of the code here is the
rough idea.
<?php
$delete = '( id = ' . implode(' OR id = ', $_POST ) . ' ) ';
if (!isset($_POST)) {
// Then display the records that were marked for deletion
?>
|
by: Tom |
last post by:
I have a function that restricts access to a page to logged in users.
When a user who isn't logged in goes to the page, it will dynamically
generate a login form.
I'm trying to use it in conjunction with the free shared SSL
certificate offered by my host. To use SSL, you would change a URL
like this
http://mydomain.com/page.php
|
by: vinnie |
last post by:
can someone explain me with an easy example what the function for?
I've read on the php.net, but didn;t really catch the point. I'm a
newbie.
Thanks
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |