Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

PHP_SELF and XSS

Tags:

php

xss

I've found an article claiming that $_SERVER['PHP_SELF'] is vulnerable to XSS.

I'm not sure if I have understood it correctly, but I'm almost sure that it's wrong.

How can this be vulnerable to XSS attacks!?

<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">   <!-- form contents --> </form> 
like image 658
McRonald Avatar asked May 21 '11 06:05

McRonald


People also ask

What is the purpose $_ PHP_SELF variable?

The $_SERVER["PHP_SELF"] is a super global variable that returns the filename of the currently executing script. So, the $_SERVER["PHP_SELF"] sends the submitted form data to the page itself, instead of jumping to a different page. This way, the user will get error messages on the same page as the form.

What is PHP self exploit?

PHP_SELF is a variable that returns the current script being executed. This variable returns the name and path of the current file (from the root folder). You can use this variable in the action field of the FORM. There are also certain exploits that you need to be aware of.

Is self Xss a vulnerability?

Definition : Self Cross site scripting(XSS) is a vulnerability in web applications which gives the ability of executing JS as the same user and not to other users.


2 Answers

To make it safe to use you need to use htmlspecialchars().

<?php echo htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES, "utf-8"); ?> 

See A XSS Vulnerability in Almost Every PHP Form I’ve Ever Written for how $_SERVER["PHP_SELF"] can be attacked.

like image 93
John Conde Avatar answered Oct 07 '22 11:10

John Conde


It is indeed a XSS vulnerability. I do understand that you believe it may not harm your website, but this doesn't mean it is not real.

If you do not believe it, try the following:

We assume you have a page such as "registration.php". We assume you have a form where action is:

<?php echo $_SERVER['PHP_SELF']; ?> 

as you put it down indeed:

<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">   <!-- form contents --> </form> 

Now simply append the string below

%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E 

It is not actually hard to understand, because PHP_SELF is a reflection of the URL, your application will read whatever you put in the URL and echo it. It is simple as that.

htmlspecialchars should take care of the matter, no reason to dispute the evidence.

<form method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>">    <!-- form contents --> </form> 

However, even this is a first step in stealing a cookie, it's not that it take place automatically. Even if it's quite easy to craft the attack (as the attacker will register on your site and will see how the cookie looks...etc.), a series of other factors must be true to get to the point of having a cookie stealing situation. For instance, the cookie must not be expired. Than it depends of how complex the cookie is. Than maybe you have other precautions in placed on server, it doesn't have to be all authentication based on the presence of cookie!

While I do believe it is rather difficult and really bad programming for all conditions to met (even if yahoo.mail for example had such a vulnerability and if you look on internet you will find even the exploit and the cookie decoder), the XSS is real and who knows what a crafty attacker may do if your site suffer of it. The cure is simple...

like image 22
Florin Sima Avatar answered Oct 07 '22 09:10

Florin Sima