Re: How To...

From: trookat <trookat@xxxxxxxxxxx>
Date: Sun, 16 Nov 2008 19:18:32 +0900

J2Be.com wrote:

echo "<form action=\"$PHP_SELF\" method=\"post\">";
Will work on a form.
HTH

--
TK
http://wejuggle2.com/
Still Having a Ball

I'm sorry to say that this is not a good suggestion.

$PHP_SELF will not return anything, except if the server have an obsolete php configuration.
Eventually $_SERVER['PHP_SELF'] should be used.

A string is faster and clearer in this way
'<form action="' . $_SERVER['PHP_SELF'] . '" method="post">';
and there's no need to add the backslashes to escape the ".

The $_SERVER['PHP_SELF'] used in this manner is dangerous and
could allow XSS attacks

Sample form
----
<?php
echo '<html><head><title></title></head><body>';
echo '<form action="' . $_SERVER['PHP_SELF'] . '" method="post">';
echo '<input type="text"><input type="submit"></form>';
echo '</body></html>';
?>
----

Sample of the XSS
http://server.tld/form.php/";><script>alert(1);</script><"

I don't want to start a flame or offend you but it's better to know such simple things.
Regards
Leonardo Armando Iarrusso

*disclaimer : i don't know much about XSS attacks

i may be wrong but using

echo '<form action="' . $_SERVER['SCRIPT_NAME'].'" method="post">';

does not seem to have the same issues with XSS. If it does not then its a good alternative to $_SERVER['PHP_SELF']

i passed
http://localhost/~troookat/index.php/";><script>alert(1);</script><"

print_r'ed $_SERVER

[SCRIPT_NAME] => /~trookat/index.php
[PHP_SELF] => /~trookat/index.php/"><script>alert(1);</script><"

the only other vars that would get tainted would be
[REQUEST_URI] => /~trookat/index.php/%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3C%22
[PATH_INFO] => /"><script>alert(1);</script><"
[PATH_TRANSLATED] => /var/www/"><script>alert(1);</script><"

If I'm wrong anywhere please point it out

regards
- trookat
.

Prev by Date: Warning regarding session side-effect : puzzle
Next by Date: Convert input to Unix Timestamp
Previous by thread: Re: How to...
Next by thread: [GURU'S ONLY ;-)] Howto determine from which file an image is being requested?
Index(es):
- Date
- Thread

Relevant Pages

Re: Cross Site scripting prevention at browser
... XSS attacks is a well known acronymn for cross-site scripting(googling ... >>> address prevention from the server side. ... >>> How is JavaScript handled at the browser level?. ... >>'security' is bypassed by injecting code into the page visited. ...
(comp.security.unix)
Re: IIS rewrites my URLs
... Despite the fact that XSS attacks are ... fundamentally a client-side problem due to bad application code on the ... XSS attack but from the server to the client. ... but IIS encodes it to ...
(microsoft.public.inetserver.iis)
Re: [Full-Disclosure] Search Engine XSS
... Not speaking to these specific vulnerabilities, XSS attacks in general, let ... you masquerade info as being legitimate data from the server. ... across web sites. ...
(Full-Disclosure)
Re: Jetty Vulnerabilities?
... >I would not use this for any server requiring medium to high security. ... I tried some of the XSS attacks and SQL injections in my own network ...
(alt.computer.security)