$_SERVER['SCRIPT_NAME'] versus $_SERVER['PHP_SELF'] (or other?)

Re: $_SERVER['SCRIPT_NAME'] versus $_SERVER['PHP_SELF'] (or other?)

Jim Carlock wrote:
[color=blue]
> And the subject... is one of the variables better than the other? One
> a wrapper to the other? Which one is the wrapper and which one
> is the final calling? Anyone know where to find such details? If there's
> a link available...
>
> $_SERVER['SCRIPT_NAME'] versus $_SERVER['PHP_SELF']
>[/color]

PHP_SELF can be leveraged to effect XSS attacks if the webserver is
configured to allow GET parameters embedded in the path. Write a script,
say /home/jim/public_html/inf.php:

<?php

phpinfo();

?>

The try accessing it with:

http://localhost/~jim/inf.php/%22%3E%3Cscript %3Ealert('hacke d')%3C/script%3E%3Cbla hblah

Look at the source - you'll see that script_name was not vulnerable.

C.

Re: $_SERVER['SCRIPT_NAME'] versus $_SERVER['PHP_SELF'] (or other?)

Jim Carlock wrote:
[color=blue]
> And the subject... is one of the variables better than the other? One
> a wrapper to the other? Which one is the wrapper and which one
> is the final calling? Anyone know where to find such details? If there's
> a link available...
>
> $_SERVER['SCRIPT_NAME'] versus $_SERVER['PHP_SELF']
>[/color]
"Colin McKinnon" posted a reply:[color=blue]
> P_SELF can be leveraged to effect XSS attacks if the webserver
> is configured to allow GET parameters embedded in the path. Write
> a script, say /home/jim/public_html/inf.php:[/color]

<?php phpinfo(); ?>
[color=blue]
> The try accessing it with:
> http://localhost/~jim/inf.php/%22%3E%3Cscript %3Ealert('hacke d')%3C/script%3E%3Cbla hblah
>
> Look at the source - you'll see that script_name was not vulnerable.[/color]

Okay, that specific example didn't reference $_SERVER['SCRIPT_NAME']
nor $_SERVER['PHP_SELF'].

Did you forget to include something?

I tested it out. phpinfo() reported the following:

----

Apache Environment Variables

PATH_INFO: /"><script>alert ('hacked')</script><blahbla h
REQUEST_URI: /test.php/%22%3E%3Cscript %3Ealert('hacke d')%3C/script%3E%3Cbla hblah

----

HTTP Headers Information

HTTP Request: GET /test.php/%22%3E%3Cscript %3Ealert('hacke d')%3C/script%3E%3Cbla hblah HTTP/1.1

It looks like that "script" depends upon some sort of CGI capability,
perhaps PHP.EXE configured into the PATH. Is that related to the
subject in some way ?

<g> You lost me there.

Jim Carlock
Post replies to the group.

Re: $_SERVER['SCRIPT_NAME'] versus $_SERVER['PHP_SELF'] (or other?)

Is there something that can be done to prevent that sort of
thing?

Thanks for the post.

Jim Carlock
Post replies to the group.

Re: $_SERVER['SCRIPT_NAME'] versus $_SERVER['PHP_SELF'] (or other?)

"Jim Carlock" asked:[color=blue]
> Is there something that can be done to prevent that sort of thing?[/color]

I've got a better feel for the problem with PHP_SELF and XSS
attacks. I initially misread your statement and while the Mozilla
browser displayed nothing (javascript turned off), Microsoft's
Internet Explorer showed the problem.

I found a great link describing the $_SERVER['PHP_SELF'],
http://blog.phpdoc.info/archives/13-XSS-Woes.html, which
definitely doesn't seem limited to that variable, but also to the
other items:

phpinfo()
$_SERVER['PHP_SELF']
$_SERVER['PHP_INFO']

Some digging into: +PHP "XSS attack" turned up all sorts of things,
including the link above, which in turn led to this link, which describes
vulnerabilities of $_SERVER['SERVER_NAME'] ...


<html>
<head>
<title>Testin g Server Variables</title>
</head>
<body><p><a href="#<?php echo($_SERVER['SERVER_NAME']); ?>">Hold your mouse over this link</a></p>
<p><?php echo($_SERVER['PHP_SELF']); ?></p></body></html>

The above encoding turns up some really odd behaviors.

Holding the mouse over that link results in...



While clicking on the source code itself presents the following
(Internet Explorer, click on View, click on Source):

<html>
<head>
<title>Testin g Server Variables</title>
</head>
<body><p><a href="#70.124.3 1.73">Hold your mouse over this link</a></p>
<p>/test.php/\"><img src=http://www.perl.com/images/75-logo.jpg><blah</p></body></html>

Thanks for bringing up "XSS attack" inside of PHP. I'm not quite
sure what the above completely represents, but it appears that
possibly the http headers were compromised as well, showing
a vulnerability with $_SERVER['SERVER_NAME'].

Anyone else here that knows what's going on there and any
suggestions are greatly appreciated.

Jim Carlock
Post replies to the group.

Re: $_SERVER['SCRIPT_NAME'] versus $_SERVER['PHP_SELF'] (or other?)

Jim Carlock wrote:
[color=blue]
>"Jim Carlock" asked:
>
>[color=green]
>>Is there something that can be done to prevent that sort of thing?
>>
>>[/color]
>
>I've got a better feel for the problem with PHP_SELF and XSS
>attacks. I initially misread your statement and while the Mozilla
>browser displayed nothing (javascript turned off), Microsoft's
>Internet Explorer showed the problem.
>
>I found a great link describing the $_SERVER['PHP_SELF'],
>http://blog.phpdoc.info/archives/13-XSS-Woes.html, which
>definitely doesn't seem limited to that variable, but also to the
>other items:
>
>phpinfo()
>$_SERVER['PHP_SELF']
>$_SERVER['PHP_INFO']
>
>Some digging into: +PHP "XSS attack" turned up all sorts of things,
>including the link above, which in turn led to this link, which describes
>vulnerabilitie s of $_SERVER['SERVER_NAME'] ...
>http://www-128.ibm.com/developerwork...81&entry=75480
>
><html>
><head>
><title>Testi ng Server Variables</title>
></head>
><body><p><a href="#<?php echo($_SERVER['SERVER_NAME']); ?>">Hold your mouse over this link</a></p>
><p><?php echo($_SERVER['PHP_SELF']); ?></p></body></html>
>
>The above encoding turns up some really odd behaviors.
>
>Holding the mouse over that link results in...
>
>http://localhost/test.php/%22%3E%3Ci...h#70.124.31.73
>
>While clicking on the source code itself presents the following
>(Internet Explorer, click on View, click on Source):
>
><html>
><head>
><title>Testi ng Server Variables</title>
></head>
><body><p><a href="#70.124.3 1.73">Hold your mouse over this link</a></p>
><p>/test.php/\"><img src=http://www.perl.com/images/75-logo.jpg><blah</p></body></html>
>
>Thanks for bringing up "XSS attack" inside of PHP. I'm not quite
>sure what the above completely represents, but it appears that
>possibly the http headers were compromised as well, showing
>a vulnerability with $_SERVER['SERVER_NAME'].
>
>Anyone else here that knows what's going on there and any
>suggestions are greatly appreciated.
>
>Jim Carlock
>Post replies to the group.
>[/color]
I'm just trying to follow this discussion, so I tried the examples to
see what happens

When I re-create the example at:


When I inject the "extra data" nothing happens. I get a server error:
The requested URL /testing/testing server variables.php/\ was not found
on this server.

When I try the same example on my remote host I get a 403 error:
script%3E%3Cfoo access denied

I never see the JavaScript alert executed (I have Javascript enabled).

--
*************** **************
Chuck Anderson • Boulder, CO

Integrity is obvious.
The lack of it is common.
*************** **************

Re: $_SERVER['SCRIPT_NAME'] versus $_SERVER['PHP_SELF'] (or other?)

"Chuck Anderson" <websiteaddress @seemy.sig> wrote:[color=blue]
> I'm just trying to follow this discussion, so I tried the examples to
> see what happens
>
> When I re-create the example at:
> http://blog.phpdoc.info/archives/13-XSS-Woes.html[/color]

Hi, Chuck,

I provided the link as an explanation of the problem rather than
trying those items out. I did notice that the same typed uri that Colin
McKinnon suggested to test things was found on that page.

Colin McKinnon's sample works for me.

(1) Page named test.php containing:

<?php phpinfo(); ?>

(2) Then type into the address-bar:

http://localhost/test.php/%22%3E%3Cscript %3Ealert('hacke d')%3C/script%3E%3Cbla hblah

That specific example requires a browser with JavaScript enabled.

(1) I tested the following code with Internet Explorer, saved as file
named test.php.

<html>
<head>
<title>Testin g Server Variables</title>
</head>
<body><p><a href="#<?php echo($_SERVER['SERVER_NAME']); ?>">Hold your mouse over this link</a></p>
<p><?php echo($_SERVER['PHP_SELF']); ?></p></body></html>

(2) Then typed the following into the address bar of Internet Explorer:



It presented the following HTML encoding, properly rendering the
displayal of the picture:

<html>
<head>
<title>Testin g Server Variables</title>
</head>
<body><p><a href="#127.0.0. 1">Hold your mouse over this link</a></p>
<p>/test.php/\"><img src=http://www.perl.com/images/75-logo.jpg><blah> </p></body></html>

When moving the mouse over the the line that says,

"Hold your mouse over this link".

Take notice of what the browser puts in your statusbar while hovering
over the link.

I tested the problems on two different servers,

(1) is a server running PHP on Apache on Windows XP Pro.
(2) I see the problem on the Unix server running Apache and
PHP.

Both servers are running older versions of Apache (1.3) and
PHP (4.4.1). So perhaps it only applies to older versions of
PHP?

Just curious, which versions of PHP are you testing this on?

Jim Carlock
Post replies to the group.

Re: $_SERVER['SCRIPT_NAME'] versus $_SERVER['PHP_SELF'] (or other?)

Jim Carlock wrote:
[color=blue]
>"Chuck Anderson" <websiteaddress @seemy.sig> wrote:
>
>[color=green]
>>I'm just trying to follow this discussion, so I tried the examples to
>>see what happens
>>
>>When I re-create the example at:
>>http://blog.phpdoc.info/archives/13-XSS-Woes.html
>>
>>[/color]
>
>Hi, Chuck,
>
>I provided the link as an explanation of the problem rather than
>trying those items out. I did notice that the same typed uri that Colin
>McKinnon suggested to test things was found on that page.
>
>Colin McKinnon's sample works for me.
>
>(1) Page named test.php containing:
>
><?php phpinfo(); ?>
>
>(2) Then type into the address-bar:
>
>http://localhost/test.php/%22%3E%3Cscript %3Ealert('hacke d')%3C/script%3E%3Cbla hblah
>
>That specific example requires a browser with JavaScript enabled.
>
>[/color]
When I do that locally, I see nothing odd about phpinfo (the extra data
string is part of server data, but I would expect that).

WindowsXP Pro
Apache 2.0
Php 4.4.1

No JavaScript is executed.

When I do the same on my remote server, I get a 403 error. Added extra
data =
/%22%3E%3Cscript %3Ealert('hacke d')%3C/script%3E%3Cbla hblah

That's on Linux - Php 4.4.1 and Apache 1.3.34.
[color=blue]
>(1) I tested the following code with Internet Explorer, saved as file
>named test.php.
>
><html>
><head>
><title>Testi ng Server Variables</title>
></head>
><body><p><a href="#<?php echo($_SERVER['SERVER_NAME']); ?>">Hold your mouse over this link</a></p>
><p><?php echo($_SERVER['PHP_SELF']); ?></p></body></html>
>
>(2) Then typed the following into the address bar of Internet Explorer:
>
>http://localhost/test.php/%22%3E%3Ci....jpg%3E%3Cblah
>
>It presented the following HTML encoding, properly rendering the
>displayal of the picture:
>
><html>
><head>
><title>Testi ng Server Variables</title>
></head>
><body><p><a href="#127.0.0. 1">Hold your mouse over this link</a></p>
><p>/test.php/\"><img src=http://www.perl.com/images/75-logo.jpg><blah> </p></body></html>
>
>When moving the mouse over the the line that says,
>
> "Hold your mouse over this link".
>
>Take notice of what the browser puts in your statusbar while hovering
>over the link.
>
>[/color]
Okay, now this I see (the image).

But if I use Colin's extra data -
/%22%3E%3Cscript %3Ealert('hacke d')%3C/script%3E%3Cbla hblah
- the javaScript is not executed - not in Firefox or IE.
[color=blue]
>I tested the problems on two different servers,
>
>(1) is a server running PHP on Apache on Windows XP Pro.
>(2) I see the problem on the Unix server running Apache and
>PHP.
>
>Both servers are running older versions of Apache (1.3) and
>PHP (4.4.1). So perhaps it only applies to older versions of
>PHP?
>
>Just curious, which versions of PHP are you testing this on?
>
>[/color]
See above.

--
*************** **************
Chuck Anderson • Boulder, CO

Integrity is obvious.
The lack of it is common.
*************** **************

Re: $_SERVER['SCRIPT_NAME'] versus $_SERVER['PHP_SELF'] (or other?)

I can't find the link right at the moment, but somewhere I read
something about magic_quotes settings in the PHP.INI file.

The current settings on the XP machine...

<snip>
; Magic quotes
;

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gp c = On

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_ru ntime = Off

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sy base = Off
;...
;added php_mime_magic. dll to test mime_content_ty pe() function
extension=php_m ime_magic.dll
</snip>

I enabled the php_mime_magic. dll on the XP machine.
The Apache server lists mod_mime_magic as a loaded module.

On the aquaticcreation snc.com server (run by some webhosting
company) the settings read the same:

magic_quotes_gp c = On
magic_quotes_ru ntime = Off
magic_quotes_sy base = Off

Apache Loaded Modules (displayed through phpinfo();)...
mod_mime_magic

And there is one a Directive listed in both configurations as:
<Directive name="safe_mode _allowed_env_va rs" content="Local Value=PHP_" />

Anyways, Google is appearantly vulnerable to the XSS
(cross site scripting) attacks as well. In fact, I noticed some
strange things happening with Google and their cached pages.

There seems to be quite a bit of information available here...


I'm lost. Hopefully someone knows what's going on and can help
out.

Jim Carlock
Raleigh+Swimmin g+Pool+Builders ++http://aquaticcreationsnc.com/
Post replies to the group.

Re: $_SERVER['SCRIPT_NAME'] versus $_SERVER['PHP_SELF'] (or other?)

Jim Carlock wrote:[color=blue]
> I can't find the link right at the moment, but somewhere I read
> something about magic_quotes settings in the PHP.INI file.
>[/color]

http://tinyurl.com/jajd3 may be what you were thinking of.
[color=blue]
> The current settings on the XP machine...
>
> <snip>
> ; Magic quotes
> ;
>
> ; Magic quotes for incoming GET/POST/Cookie data.
> magic_quotes_gp c = On
>
> ; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
> magic_quotes_ru ntime = Off
>
> ; Use Sybase-style magic quotes (escape ' with '' instead of \').
> magic_quotes_sy base = Off
> ;...
> ;added php_mime_magic. dll to test mime_content_ty pe() function
> extension=php_m ime_magic.dll
> </snip>
>
> I enabled the php_mime_magic. dll on the XP machine.
> The Apache server lists mod_mime_magic as a loaded module.
>
> On the aquaticcreation snc.com server (run by some webhosting
> company) the settings read the same:
>
> magic_quotes_gp c = On
> magic_quotes_ru ntime = Off
> magic_quotes_sy base = Off
>
> Apache Loaded Modules (displayed through phpinfo();)...
> mod_mime_magic
>
> And there is one a Directive listed in both configurations as:
> <Directive name="safe_mode _allowed_env_va rs" content="Local Value=PHP_" />
>
> Anyways, Google is appearantly vulnerable to the XSS
> (cross site scripting) attacks as well. In fact, I noticed some
> strange things happening with Google and their cached pages.
>
> There seems to be quite a bit of information available here...
> http://lists.grok.org.uk/pipermail/f...5-December.txt
>
> I'm lost. Hopefully someone knows what's going on and can help
> out.
>
> Jim Carlock
> Raleigh+Swimmin g+Pool+Builders ++http://aquaticcreationsnc.com/
> Post replies to the group.
>
>[/color]

Re: $_SERVER['SCRIPT_NAME'] versus $_SERVER['PHP_SELF'] (or other?)

Jim Carlock wrote:
[color=blue]
>I can't find the link right at the moment, but somewhere I read
>something about magic_quotes settings in the PHP.INI file.
>
>The current settings on the XP machine...
>
><snip>
>; Magic quotes
>;
>
>; Magic quotes for incoming GET/POST/Cookie data.
>magic_quotes_g pc = On
>
>; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
>magic_quotes_r untime = Off
>
>; Use Sybase-style magic quotes (escape ' with '' instead of \').
>magic_quotes_s ybase = Off
>;...
>;added php_mime_magic. dll to test mime_content_ty pe() function
>extension=php_ mime_magic.dll
></snip>
>
>I enabled the php_mime_magic. dll on the XP machine.
>The Apache server lists mod_mime_magic as a loaded module.
>
>On the aquaticcreation snc.com server (run by some webhosting
>company) the settings read the same:
>
>magic_quotes_g pc = On
>magic_quotes_r untime = Off
>magic_quotes_s ybase = Off
>
>Apache Loaded Modules (displayed through phpinfo();)...
>mod_mime_mag ic
>
>And there is one a Directive listed in both configurations as:
><Directive name="safe_mode _allowed_env_va rs" content="Local Value=PHP_" />
>
>Anyways, Google is appearantly vulnerable to the XSS
>(cross site scripting) attacks as well. In fact, I noticed some
>strange things happening with Google and their cached pages.
>
>There seems to be quite a bit of information available here...
>http://lists.grok.org.uk/pipermail/f...5-December.txt
>
>I'm lost. Hopefully someone knows what's going on and can help
>out.
>
>[/color]
I'm quite lost, too. Just trying to make sense of this for use in future
implementations . I try to add security related issues that I read about
here (and *understand*) to my Php scripting habits. I use forms with
action=PHP_SELF quite often.

If it makes any difference, magic quotes gpc is enabled on both my local
machine and at my remote host.

--
*************** **************
Chuck Anderson • Boulder, CO

Integrity is obvious.
The lack of it is common.
*************** **************