By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
458,127 Members | 1,155 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 458,127 IT Pros & Developers. It's quick & easy.

XSS / Cross Site Scripting Attacks Fixed $_SERVER['PHP_SELF'] ?

P: n/a
Are the XSS / Cross Site Scripting attacks fixed in Version 4.44?

I'm seeing that $_SERVER['PHP_SELF'] doesn't return the
$_SERVER['HTTP_QUERYSTRING'] appended to it.

I was just messing with a few things and noticed that PHP_SELF
returns only the page name now and without the $_GET query...

http://blog.phpdoc.info/archives/13-XSS-Woes.html

Any comments on this are appreciated.

Thanks.

--
Jim Carlock
Post replies to the group.

Nov 21 '06 #1
Share this Question
Share on Google+
4 Replies


P: n/a
Hi,

When using PHP_SELF, I would suggest encoding it appropriately. For
instance:

<form action="<?= htmlentities($_SERVER['PHP_SELF'], ENT_QUOTES)
?>">

In a request to /home.php/a/b/c/d?p=q, your variables would usually be:

REQUEST_URI: /home.php/a/b/c/d?p=q
SCRIPT_NAME: /home.php
PATH_INFO: /a/b/c/d
QUERY_STRING: p=q
PHP_SELF: /home.php/a/b/c/d

An inbound link could put some unsafe code in the PATH_INFO part, so
it's good to encode it when outputting it as HTML.
Jim Carlock wrote:
Are the XSS / Cross Site Scripting attacks fixed in Version 4.44?

I'm seeing that $_SERVER['PHP_SELF'] doesn't return the
$_SERVER['HTTP_QUERYSTRING'] appended to it.

I was just messing with a few things and noticed that PHP_SELF
returns only the page name now and without the $_GET query...

http://blog.phpdoc.info/archives/13-XSS-Woes.html

Any comments on this are appreciated.

Thanks.

--
Jim Carlock
Post replies to the group.
Nov 21 '06 #2

P: n/a
Jim Carlock wrote...
: After messing with a few things I noticed 'PHP_SELF'
: returns the page name without the $_GET query strings...
:
: http://blog.phpdoc.info/archives/13-XSS-Woes.html

"petersprc" stated...
: When using PHP_SELF, I would suggest encoding it appropriately.
: For instance:
:
: <form action="<?= htmlentities($_SERVER['PHP_SELF'], ENT_QUOTES) ?>">
:
: In a request to /home.php/a/b/c/d?p=q, your variables would usually
: be:
:
: REQUEST_URI: /home.php/a/b/c/d?p=q
: SCRIPT_NAME: /home.php
: PATH_INFO: /a/b/c/d
: QUERY_STRING: p=q
: PHP_SELF: /home.php/a/b/c/d
:
: An inbound link could put some unsafe code in the PATH_INFO
: part, so it's good to encode it when outputting it as HTML.

Good information. Thanks Peter. Maybe it was an Apache bug fixed
by Apache 1.3.37?

Another thing that occurs, PHP_ERR.LOG files show up when
the temporary directory gets deleted, in other words when the
temporary folder goes bye bye, "php_err.log" files start appearing
in the folders of the website which uses $_SESSION variables.
I'm working with PHP 4.4.4 and Apache 1.3.37 (Windows).

Comments are appreciated.

Thanks.

--
Jim Carlock
Nov 21 '06 #3

P: n/a
You are right that PHP_SELF doesn't include any of the query part. But
still, outputting an unsanitized PHP_SELF would be a problem and could
lead to an XSS vulnerability, because the client can usually include
arbitrary text in the PATH_INFO part. If you use htmlentities, it
should pretty much address that potential problem.

Jim Carlock wrote:
Jim Carlock wrote...
: After messing with a few things I noticed 'PHP_SELF'
: returns the page name without the $_GET query strings...
:
: http://blog.phpdoc.info/archives/13-XSS-Woes.html

"petersprc" stated...
: When using PHP_SELF, I would suggest encoding it appropriately.
: For instance:
:
: <form action="<?= htmlentities($_SERVER['PHP_SELF'], ENT_QUOTES) ?>">
:
: In a request to /home.php/a/b/c/d?p=q, your variables would usually
: be:
:
: REQUEST_URI: /home.php/a/b/c/d?p=q
: SCRIPT_NAME: /home.php
: PATH_INFO: /a/b/c/d
: QUERY_STRING: p=q
: PHP_SELF: /home.php/a/b/c/d
:
: An inbound link could put some unsafe code in the PATH_INFO
: part, so it's good to encode it when outputting it as HTML.

Good information. Thanks Peter. Maybe it was an Apache bug fixed
by Apache 1.3.37?

Another thing that occurs, PHP_ERR.LOG files show up when
the temporary directory gets deleted, in other words when the
temporary folder goes bye bye, "php_err.log" files start appearing
in the folders of the website which uses $_SESSION variables.
I'm working with PHP 4.4.4 and Apache 1.3.37 (Windows).

Comments are appreciated.

Thanks.

--
Jim Carlock
Nov 24 '06 #4

P: n/a
Description of PHP_SELF:
http://blog.phpdoc.info/archives/13-XSS-Woes.html

petersprc wrote:
You are right that PHP_SELF doesn't include any of the query part. But
still, outputting an unsanitized PHP_SELF would be a problem and could
lead to an XSS vulnerability, because the client can usually include
arbitrary text in the PATH_INFO part. If you use htmlentities, it
should pretty much address that potential problem.

Jim Carlock wrote:
Jim Carlock wrote...
: After messing with a few things I noticed 'PHP_SELF'
: returns the page name without the $_GET query strings...
:
: http://blog.phpdoc.info/archives/13-XSS-Woes.html

"petersprc" stated...
: When using PHP_SELF, I would suggest encoding it appropriately.
: For instance:
:
: <form action="<?= htmlentities($_SERVER['PHP_SELF'], ENT_QUOTES) ?>">
:
: In a request to /home.php/a/b/c/d?p=q, your variables would usually
: be:
:
: REQUEST_URI: /home.php/a/b/c/d?p=q
: SCRIPT_NAME: /home.php
: PATH_INFO: /a/b/c/d
: QUERY_STRING: p=q
: PHP_SELF: /home.php/a/b/c/d
:
: An inbound link could put some unsafe code in the PATH_INFO
: part, so it's good to encode it when outputting it as HTML.

Good information. Thanks Peter. Maybe it was an Apache bug fixed
by Apache 1.3.37?

Another thing that occurs, PHP_ERR.LOG files show up when
the temporary directory gets deleted, in other words when the
temporary folder goes bye bye, "php_err.log" files start appearing
in the folders of the website which uses $_SESSION variables.
I'm working with PHP 4.4.4 and Apache 1.3.37 (Windows).

Comments are appreciated.

Thanks.

--
Jim Carlock
Nov 24 '06 #5

This discussion thread is closed

Replies have been disabled for this discussion.