Exploiting PHP SELF
2008-01-19 13:33
113 查看
Eric Butera emailed me with a very interesting topic about protecting
against PHP_SELF exploits. I thought it might be a good idea to gather a few
test cases demonstrating the problem. Why PHP allows these URL’s is beyond
me and it wouldn’t take much work to filter out these malicious URL’s in
the PHP code.
For any of you that don’t know, it’s possible to inject code into
PHP_SELF. It works by supplying a “/” after the actual PHP file then
entering your desired code. I’ve done 4 test cases which show how it’s
possible to inject javascript and perform a redirect on code which doesn’t
filter PHP_SELF correctly.
Test case 1
Injects data into a HTTP header, although this scenario is not very likely I
thought I would include it to show that even running htmlentities or
htmlspecialchars won’t save you from attack completely.
Test case 2
Shows how easy it is to inject XSS into links, this is very likely as many
PHP applications ofter refer to the same page to change the current
action/display.
Test case 3
A search page often includes references to PHP_SELF and can be exploited as
easily as links.
Test case 4
Finally I show how code can be injected directly on the page without the
need to break out of anything.
The test cases can be downloaded here:-
Test cases
<http://www.thespanner.co.uk/wp-content/uploads/2008/01/php_selfphp.zip>
http://hi.baidu.com/h4ck3rsbr/blog/item/f80ae780d0b144d39023d966.html
against PHP_SELF exploits. I thought it might be a good idea to gather a few
test cases demonstrating the problem. Why PHP allows these URL’s is beyond
me and it wouldn’t take much work to filter out these malicious URL’s in
the PHP code.
For any of you that don’t know, it’s possible to inject code into
PHP_SELF. It works by supplying a “/” after the actual PHP file then
entering your desired code. I’ve done 4 test cases which show how it’s
possible to inject javascript and perform a redirect on code which doesn’t
filter PHP_SELF correctly.
Test case 1
Injects data into a HTTP header, although this scenario is not very likely I
thought I would include it to show that even running htmlentities or
htmlspecialchars won’t save you from attack completely.
Test case 2
Shows how easy it is to inject XSS into links, this is very likely as many
PHP applications ofter refer to the same page to change the current
action/display.
Test case 3
A search page often includes references to PHP_SELF and can be exploited as
easily as links.
Test case 4
Finally I show how code can be injected directly on the page without the
need to break out of anything.
The test cases can be downloaded here:-
Test cases
<http://www.thespanner.co.uk/wp-content/uploads/2008/01/php_selfphp.zip>
http://hi.baidu.com/h4ck3rsbr/blog/item/f80ae780d0b144d39023d966.html
相关文章推荐
- 详解$_SERVER 函数中QUERY_STRING、REQUEST_URI、SCRIPT_NAME和'PHP_SELF
- PHP $_SERVER[’PHP_SELF’]
- PHP $_SERVER[’PHP_SELF’]
- php中this,self,parent的区别
- 关于$PHP_SELF
- php中$_SERVER[PHP_SELF] 和 $_SERVER[SCRIPT_NAME]之间的区别
- PHP_SELF、 SCRIPT_NAME、 REQUEST_URI区别
- PHP_SELF、 SCRIPT_NAME、 REQUEST_URI区别
- php中self与static的区别
- 大概率 PHP中static和self的区别
- php中this,self,parent三个关键字
- PHP 中 this,self,parent 的区别、用法
- 浅谈php插件扩展--self_concat
- PHP中this,self,parent的区别
- php self this 区别
- php中this,self,parent三个关键字
- PHP中this,self,parent的区别
- php中this、self、parent解析
- PHP中self和this的用法区别
- php中this,self,parent三个关键字