Exploiting PHP SELF

Eric Butera emailed me with a very interesting topic about protecting
against PHP_SELF exploits. I thought it might be a good idea to gather a few
test cases demonstrating the problem. Why PHP allows these URL’s is beyond
me and it wouldn’t take much work to filter out these malicious URL’s in
the PHP code.

For any of you that don’t know, it’s possible to inject code into
PHP_SELF. It works by supplying a “/” after the actual PHP file then
entering your desired code. I’ve done 4 test cases which show how it’s
possible to inject javascript and perform a redirect on code which doesn’t
filter PHP_SELF correctly.

Test case 1

Injects data into a HTTP header, although this scenario is not very likely I
thought I would include it to show that even running htmlentities or
htmlspecialchars won’t save you from attack completely.

Test case 2

Shows how easy it is to inject XSS into links, this is very likely as many
PHP applications ofter refer to the same page to change the current
action/display.

Test case 3

A search page often includes references to PHP_SELF and can be exploited as
easily as links.

Test case 4

Finally I show how code can be injected directly on the page without the
need to break out of anything.

The test cases can be downloaded here:-
Test cases
<http://www.thespanner.co.uk/wp-content/uploads/2008/01/php_selfphp.zip>
http://hi.baidu.com/h4ck3rsbr/blog/item/f80ae780d0b144d39023d966.html