473,395 Members | 1,457 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > php > questions > $_server['script_name'] versus $_server['php_self'] (or other?)

Join Bytes to post your question to a community of 473,395 software developers and data experts.

$_SERVER['SCRIPT_NAME'] versus $_SERVER['PHP_SELF'] (or other?)

Looking for a way to extract the path from the pfqpn (partially
full qualified path name).

$sThisServer = $_SERVER['HTTP_HOST'];
// returns either aquaticcreationsnc.com or www.aquaticcreationsnc.com

$sThisServer = $_SERVER['SERVER_NAME'];
// returns aquaticcreationsnc.com whether or not the end-user typed
// in the preceding www.

$sThisFilePath = getcwd();
// returns server-side mapping to folder

Specifically, I want the path from the root of the virtual host to the
current folder... and so far I've got this...

function GetThisPath() {
return("http://" . $_SERVER['SERVER_NAME'] . str_replace("index.php", "", $_SERVER['SCRIPT_NAME']));
}

That assumes the filename in the folder equals "index.php".

I could configure it as an optional parameter?

function GetThisPath($sFilename = "index.php") {
return("http://" . $_SERVER['SERVER_NAME'] . str_replace("index.php", "", $_SERVER['SCRIPT_NAME']));
}

I'm sure there are plenty of ways to handle this. I thought
about implode()/explode() to handle unknown filenames,
but perhaps PHP already handles this?

And the subject... is one of the variables better than the other? One
a wrapper to the other? Which one is the wrapper and which one
is the final calling? Anyone know where to find such details? If there's
a link available...

$_SERVER['SCRIPT_NAME'] versus $_SERVER['PHP_SELF']

Thanks much.

Jim Carlock
Post replies to the group.
Feb 26 '06 #1
10 5198
Jim Carlock wrote:
And the subject... is one of the variables better than the other? One
a wrapper to the other? Which one is the wrapper and which one
is the final calling? Anyone know where to find such details? If there's
a link available...

$_SERVER['SCRIPT_NAME'] versus $_SERVER['PHP_SELF']


PHP_SELF can be leveraged to effect XSS attacks if the webserver is
configured to allow GET parameters embedded in the path. Write a script,
say /home/jim/public_html/inf.php:

<?php

phpinfo();

?>

The try accessing it with:

http://localhost/~jim/inf.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E%3Cblahblah

Look at the source - you'll see that script_name was not vulnerable.

C.
Feb 26 '06 #2
Jim Carlock wrote:
And the subject... is one of the variables better than the other? One
a wrapper to the other? Which one is the wrapper and which one
is the final calling? Anyone know where to find such details? If there's
a link available...

$_SERVER['SCRIPT_NAME'] versus $_SERVER['PHP_SELF']
"Colin McKinnon" posted a reply: P_SELF can be leveraged to effect XSS attacks if the webserver
is configured to allow GET parameters embedded in the path. Write
a script, say /home/jim/public_html/inf.php:
<?php phpinfo(); ?>
The try accessing it with:
http://localhost/~jim/inf.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E%3Cblahblah

Look at the source - you'll see that script_name was not vulnerable.


Okay, that specific example didn't reference $_SERVER['SCRIPT_NAME']
nor $_SERVER['PHP_SELF'].

Did you forget to include something?

I tested it out. phpinfo() reported the following:

----

Apache Environment Variables

PATH_INFO: /"><script>alert('hacked')</script><blahblah
REQUEST_URI: /test.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E%3Cblahblah

----

HTTP Headers Information

HTTP Request: GET /test.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E%3Cblahblah HTTP/1.1

It looks like that "script" depends upon some sort of CGI capability,
perhaps PHP.EXE configured into the PATH. Is that related to the
subject in some way ?

<g> You lost me there.

Jim Carlock
Post replies to the group.
Feb 26 '06 #3
Is there something that can be done to prevent that sort of
thing?

Thanks for the post.

Jim Carlock
Post replies to the group.
Feb 26 '06 #4
"Jim Carlock" asked:
Is there something that can be done to prevent that sort of thing?


I've got a better feel for the problem with PHP_SELF and XSS
attacks. I initially misread your statement and while the Mozilla
browser displayed nothing (javascript turned off), Microsoft's
Internet Explorer showed the problem.

I found a great link describing the $_SERVER['PHP_SELF'],
http://blog.phpdoc.info/archives/13-XSS-Woes.html, which
definitely doesn't seem limited to that variable, but also to the
other items:

phpinfo()
$_SERVER['PHP_SELF']
$_SERVER['PHP_INFO']

Some digging into: +PHP "XSS attack" turned up all sorts of things,
including the link above, which in turn led to this link, which describes
vulnerabilities of $_SERVER['SERVER_NAME'] ...
http://www-128.ibm.com/developerwork...81&entry=75480

<html>
<head>
<title>Testing Server Variables</title>
</head>
<body><p><a href="#<?php echo($_SERVER['SERVER_NAME']); ?>">Hold your mouse over this link</a></p>
<p><?php echo($_SERVER['PHP_SELF']); ?></p></body></html>

The above encoding turns up some really odd behaviors.

Holding the mouse over that link results in...

http://localhost/test.php/%22%3E%3Ci...h#70.124.31.73

While clicking on the source code itself presents the following
(Internet Explorer, click on View, click on Source):

<html>
<head>
<title>Testing Server Variables</title>
</head>
<body><p><a href="#70.124.31.73">Hold your mouse over this link</a></p>
<p>/test.php/\"><img src=http://www.perl.com/images/75-logo.jpg><blah</p></body></html>

Thanks for bringing up "XSS attack" inside of PHP. I'm not quite
sure what the above completely represents, but it appears that
possibly the http headers were compromised as well, showing
a vulnerability with $_SERVER['SERVER_NAME'].

Anyone else here that knows what's going on there and any
suggestions are greatly appreciated.

Jim Carlock
Post replies to the group.
Feb 26 '06 #5
Jim Carlock wrote:
"Jim Carlock" asked:

Is there something that can be done to prevent that sort of thing?


I've got a better feel for the problem with PHP_SELF and XSS
attacks. I initially misread your statement and while the Mozilla
browser displayed nothing (javascript turned off), Microsoft's
Internet Explorer showed the problem.

I found a great link describing the $_SERVER['PHP_SELF'],
http://blog.phpdoc.info/archives/13-XSS-Woes.html, which
definitely doesn't seem limited to that variable, but also to the
other items:

phpinfo()
$_SERVER['PHP_SELF']
$_SERVER['PHP_INFO']

Some digging into: +PHP "XSS attack" turned up all sorts of things,
including the link above, which in turn led to this link, which describes
vulnerabilities of $_SERVER['SERVER_NAME'] ...
http://www-128.ibm.com/developerwork...81&entry=75480

<html>
<head>
<title>Testing Server Variables</title>
</head>
<body><p><a href="#<?php echo($_SERVER['SERVER_NAME']); ?>">Hold your mouse over this link</a></p>
<p><?php echo($_SERVER['PHP_SELF']); ?></p></body></html>

The above encoding turns up some really odd behaviors.

Holding the mouse over that link results in...

http://localhost/test.php/%22%3E%3Ci...h#70.124.31.73

While clicking on the source code itself presents the following
(Internet Explorer, click on View, click on Source):

<html>
<head>
<title>Testing Server Variables</title>
</head>
<body><p><a href="#70.124.31.73">Hold your mouse over this link</a></p>
<p>/test.php/\"><img src=http://www.perl.com/images/75-logo.jpg><blah</p></body></html>

Thanks for bringing up "XSS attack" inside of PHP. I'm not quite
sure what the above completely represents, but it appears that
possibly the http headers were compromised as well, showing
a vulnerability with $_SERVER['SERVER_NAME'].

Anyone else here that knows what's going on there and any
suggestions are greatly appreciated.

Jim Carlock
Post replies to the group.

I'm just trying to follow this discussion, so I tried the examples to
see what happens

When I re-create the example at:
http://blog.phpdoc.info/archives/13-XSS-Woes.html

When I inject the "extra data" nothing happens. I get a server error:
The requested URL /testing/testing server variables.php/\ was not found
on this server.

When I try the same example on my remote host I get a 403 error:
script%3E%3Cfoo access denied

I never see the JavaScript alert executed (I have Javascript enabled).

--
*****************************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
Integrity is obvious.
The lack of it is common.
*****************************
Feb 26 '06 #6
"Chuck Anderson" <we************@seemy.sig> wrote:
I'm just trying to follow this discussion, so I tried the examples to
see what happens

When I re-create the example at:
http://blog.phpdoc.info/archives/13-XSS-Woes.html


Hi, Chuck,

I provided the link as an explanation of the problem rather than
trying those items out. I did notice that the same typed uri that Colin
McKinnon suggested to test things was found on that page.

Colin McKinnon's sample works for me.

(1) Page named test.php containing:

<?php phpinfo(); ?>

(2) Then type into the address-bar:

http://localhost/test.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E%3Cblahblah

That specific example requires a browser with JavaScript enabled.

(1) I tested the following code with Internet Explorer, saved as file
named test.php.

<html>
<head>
<title>Testing Server Variables</title>
</head>
<body><p><a href="#<?php echo($_SERVER['SERVER_NAME']); ?>">Hold your mouse over this link</a></p>
<p><?php echo($_SERVER['PHP_SELF']); ?></p></body></html>

(2) Then typed the following into the address bar of Internet Explorer:

http://localhost/test.php/%22%3E%3Ci....jpg%3E%3Cblah

It presented the following HTML encoding, properly rendering the
displayal of the picture:

<html>
<head>
<title>Testing Server Variables</title>
</head>
<body><p><a href="#127.0.0.1">Hold your mouse over this link</a></p>
<p>/test.php/\"><img src=http://www.perl.com/images/75-logo.jpg><blah></p></body></html>

When moving the mouse over the the line that says,

"Hold your mouse over this link".

Take notice of what the browser puts in your statusbar while hovering
over the link.

I tested the problems on two different servers,

(1) is a server running PHP on Apache on Windows XP Pro.
(2) I see the problem on the Unix server running Apache and
PHP.

Both servers are running older versions of Apache (1.3) and
PHP (4.4.1). So perhaps it only applies to older versions of
PHP?

Just curious, which versions of PHP are you testing this on?

Jim Carlock
Post replies to the group.
Feb 27 '06 #7
Jim Carlock wrote:
"Chuck Anderson" <we************@seemy.sig> wrote:

I'm just trying to follow this discussion, so I tried the examples to
see what happens

When I re-create the example at:
http://blog.phpdoc.info/archives/13-XSS-Woes.html
Hi, Chuck,

I provided the link as an explanation of the problem rather than
trying those items out. I did notice that the same typed uri that Colin
McKinnon suggested to test things was found on that page.

Colin McKinnon's sample works for me.

(1) Page named test.php containing:

<?php phpinfo(); ?>

(2) Then type into the address-bar:

http://localhost/test.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E%3Cblahblah

That specific example requires a browser with JavaScript enabled.

When I do that locally, I see nothing odd about phpinfo (the extra data
string is part of server data, but I would expect that).

WindowsXP Pro
Apache 2.0
Php 4.4.1

No JavaScript is executed.

When I do the same on my remote server, I get a 403 error. Added extra
data =
/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E%3Cblahblah

That's on Linux - Php 4.4.1 and Apache 1.3.34.
(1) I tested the following code with Internet Explorer, saved as file
named test.php.

<html>
<head>
<title>Testing Server Variables</title>
</head>
<body><p><a href="#<?php echo($_SERVER['SERVER_NAME']); ?>">Hold your mouse over this link</a></p>
<p><?php echo($_SERVER['PHP_SELF']); ?></p></body></html>

(2) Then typed the following into the address bar of Internet Explorer:

http://localhost/test.php/%22%3E%3Ci....jpg%3E%3Cblah

It presented the following HTML encoding, properly rendering the
displayal of the picture:

<html>
<head>
<title>Testing Server Variables</title>
</head>
<body><p><a href="#127.0.0.1">Hold your mouse over this link</a></p>
<p>/test.php/\"><img src=http://www.perl.com/images/75-logo.jpg><blah></p></body></html>

When moving the mouse over the the line that says,

"Hold your mouse over this link".

Take notice of what the browser puts in your statusbar while hovering
over the link.

Okay, now this I see (the image).

But if I use Colin's extra data -
/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E%3Cblahblah
- the javaScript is not executed - not in Firefox or IE.
I tested the problems on two different servers,

(1) is a server running PHP on Apache on Windows XP Pro.
(2) I see the problem on the Unix server running Apache and
PHP.

Both servers are running older versions of Apache (1.3) and
PHP (4.4.1). So perhaps it only applies to older versions of
PHP?

Just curious, which versions of PHP are you testing this on?

See above.

--
*****************************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
Integrity is obvious.
The lack of it is common.
*****************************
Feb 28 '06 #8
I can't find the link right at the moment, but somewhere I read
something about magic_quotes settings in the PHP.INI file.

The current settings on the XP machine...

<snip>
; Magic quotes
;

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = On

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off
;...
;added php_mime_magic.dll to test mime_content_type() function
extension=php_mime_magic.dll
</snip>

I enabled the php_mime_magic.dll on the XP machine.
The Apache server lists mod_mime_magic as a loaded module.

On the aquaticcreationsnc.com server (run by some webhosting
company) the settings read the same:

magic_quotes_gpc = On
magic_quotes_runtime = Off
magic_quotes_sybase = Off

Apache Loaded Modules (displayed through phpinfo();)...
mod_mime_magic

And there is one a Directive listed in both configurations as:
<Directive name="safe_mode_allowed_env_vars" content="Local Value=PHP_" />

Anyways, Google is appearantly vulnerable to the XSS
(cross site scripting) attacks as well. In fact, I noticed some
strange things happening with Google and their cached pages.

There seems to be quite a bit of information available here...
http://lists.grok.org.uk/pipermail/f...5-December.txt

I'm lost. Hopefully someone knows what's going on and can help
out.

Jim Carlock
Raleigh+Swimming+Pool+Builders++http://aquaticcreationsnc.com/
Post replies to the group.
Feb 28 '06 #9
Jim Carlock wrote:
I can't find the link right at the moment, but somewhere I read
something about magic_quotes settings in the PHP.INI file.

http://tinyurl.com/jajd3 may be what you were thinking of.
The current settings on the XP machine...

<snip>
; Magic quotes
;

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = On

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off
;...
;added php_mime_magic.dll to test mime_content_type() function
extension=php_mime_magic.dll
</snip>

I enabled the php_mime_magic.dll on the XP machine.
The Apache server lists mod_mime_magic as a loaded module.

On the aquaticcreationsnc.com server (run by some webhosting
company) the settings read the same:

magic_quotes_gpc = On
magic_quotes_runtime = Off
magic_quotes_sybase = Off

Apache Loaded Modules (displayed through phpinfo();)...
mod_mime_magic

And there is one a Directive listed in both configurations as:
<Directive name="safe_mode_allowed_env_vars" content="Local Value=PHP_" />

Anyways, Google is appearantly vulnerable to the XSS
(cross site scripting) attacks as well. In fact, I noticed some
strange things happening with Google and their cached pages.

There seems to be quite a bit of information available here...
http://lists.grok.org.uk/pipermail/f...5-December.txt

I'm lost. Hopefully someone knows what's going on and can help
out.

Jim Carlock
Raleigh+Swimming+Pool+Builders++http://aquaticcreationsnc.com/
Post replies to the group.

Feb 28 '06 #10
Jim Carlock wrote:
I can't find the link right at the moment, but somewhere I read
something about magic_quotes settings in the PHP.INI file.

The current settings on the XP machine...

<snip>
; Magic quotes
;

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = On

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off
;...
;added php_mime_magic.dll to test mime_content_type() function
extension=php_mime_magic.dll
</snip>

I enabled the php_mime_magic.dll on the XP machine.
The Apache server lists mod_mime_magic as a loaded module.

On the aquaticcreationsnc.com server (run by some webhosting
company) the settings read the same:

magic_quotes_gpc = On
magic_quotes_runtime = Off
magic_quotes_sybase = Off

Apache Loaded Modules (displayed through phpinfo();)...
mod_mime_magic

And there is one a Directive listed in both configurations as:
<Directive name="safe_mode_allowed_env_vars" content="Local Value=PHP_" />

Anyways, Google is appearantly vulnerable to the XSS
(cross site scripting) attacks as well. In fact, I noticed some
strange things happening with Google and their cached pages.

There seems to be quite a bit of information available here...
http://lists.grok.org.uk/pipermail/f...5-December.txt

I'm lost. Hopefully someone knows what's going on and can help
out.

I'm quite lost, too. Just trying to make sense of this for use in future
implementations. I try to add security related issues that I read about
here (and *understand*) to my Php scripting habits. I use forms with
action=PHP_SELF quite often.

If it makes any difference, magic quotes gpc is enabled on both my local
machine and at my remote host.

--
*****************************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
Integrity is obvious.
The lack of it is common.
*****************************
Feb 28 '06 #11
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

9
$_SERVER[PHP_SELF] and <SELECT>
by: Salve Håkedal | last post by:
When I select Februar here and sends, selection returns to Januar. I know why: no option is marked selected... But can php get this right in an easy way? <html><head><title>Part of a bigger...
PHP
13
Why no [fragment] in parse_url($_SERVER['PHP_SELF'])?
by: deko | last post by:
I'm trying to identify which named anchor is currently being viewed on a page. Although the address bar of my browser shows #whatever appended to the end of the url, I can't seem to find it in a...
PHP
3
Difference between $_SERVER['SCRIPT_NAME'] and $_SERVER['PHP_SELF']
by: Joshua Beall | last post by:
Hi All, What is the difference between $_SERVER and $_SERVER, and which is better to use? According to the CGI 1.1 spec (http://hoohoo.ncsa.uiuc.edu/cgi/env.html), SCRIPT_NAME is not...
PHP
10
form action = <?=$_SERVER['PHP_SELF']?> - stopped working
by: tHatDudeUK | last post by:
My form action code to submit values to itself have stopped working using the code form action = <?=$_SERVER?> This code used to work My web host recently told me they enabled phpsuexec...
PHP
1
"page Not Found" after submitting form to $_SERVER['PHP_SELF'] through Post Action
by: Michael Brennan-White | last post by:
If I submit my for using a get action the resulting page loads . If I use a post action I get an error page saying "The page cannot be found". I am calling the originating page!!! This happens...
PHP
7
Help with $_POST and $_SERVER['PHP_SELF'] please.
by: Dynamo | last post by:
I am using values stored an $_POST array to display records from a table before asking the user if he is sure he wants to delete them. If the user confirms then the records are deleted. Without...
PHP
5
Problem Getting Script's URL ($_SERVER['PHP_SELF'] not what I expected)
by: Tom | last post by:
I have a function that restricts access to a page to logged in users. When a user who isn't logged in goes to the page, it will dynamically generate a login form. I'm trying to use it in...
PHP
4
XSS / Cross Site Scripting Attacks Fixed $_SERVER['PHP_SELF'] ?
by: Jim Carlock | last post by:
Are the XSS / Cross Site Scripting attacks fixed in Version 4.44? I'm seeing that $_SERVER doesn't return the $_SERVER appended to it. I was just messing with a few things and noticed that...
PHP
4
$_SERVER[PHP_self]
by: vinnie | last post by:
can someone explain me with an easy example what the function for? I've read on the php.net, but didn;t really catch the point. I'm a newbie. Thanks
PHP
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!