PHP_Self and Xss

PHP_SELF and XSS

To make it safe to use you need to use htmlspecialchars().

<?php echo htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES, "utf-8"); ?>

See A XSS Vulnerability in Almost Every PHP Form I’ve Ever Written for how $_SERVER["PHP_SELF"] can be attacked.

PHP XSS command when using $_SERVER['PHP_SELF']

This even works when the web address is nonexistent. Shouldn't that person get an error page of some kind saying that the website cannot be found? Just like when we accidentally type in a wrong address and got nothing?

Not if the web server is configured to allow extra data after the script path. In Apache, this is configured by the AcceptPathInfo Directive.

Even though it works, how is anyone else besides the "hacker" himself affected if the change is not saved on the php file on the server? I mean it is the hacker who manually typed in the malicious code, and it is his browser that would download the affected web page.

An XSS attack would require the attacker to get the target to visit this URL, so that the malicious payload would run in the target's browser. One way to do this would be to trick the target into clicking a malicious link.

PHP_SELF and XSS

If you’re using AcceptPathInfo or something similar such that a URI like /index.php/foo/bar is directed to /index.php, requesting /index.php/%22%E3E… can get your following data outside the form tag.

And as for the second question: click here.

PHP_SELF and SCRIPT_NAME - XSS attacks edition

As good practice, you should always protect against any variables from $_SERVER, $_GET, $_POST etc.

$str = filter_var($input, FILTER_SANITIZE_STRING);

A simple way to sanitize a string, or you can use htmlentities. I create a class that I use when returning any variables from $_SERVER, $_GET and $_POST.

$_SERVER['PHP_SELF'] vulnerability not working?

If your form is at form.php script, try accessing it with an url in the browser like http://yoursite.com/form.php/"><script>alert('XSS')</script> to see if it is vulnerable to injection.

If it doesn't do anything, your configuration prevents this, at least for this specific file.

(Of course, you should use something like htmlspecialchars($_SERVER['SCRIPT_NAME']) anyway.)

is calling $_SERVER[PHP_SELF](keeping whole php code in html) , a good way of coding?

All <?php ... ?> code never leaves your server - it is parsed by PHP interpreter into raw HTML, so end user won't see anything server-related.

What is the reason of $_SERVER[PHP_SELF]

You shouldn't use $_SERVER["PHP_SELF"] in that way for security reasons. This is because you print the complete path including all parameters to your site and you have a XSS problem.

If you want to send your form to the same site you can very simple use the #.

<form action="#" method="post">

Or type in the complete filename that prevents to add all parameters to your website.

PHP_SELF and XSS

Here is another Post how to secure that part.

How to protect against this type of attack?

I was using $_SERVER['PHP_SELF'] in an href tag, so that's where the JavaScript was triggered.

The solution is simple. I run PHP_SELF through a filter before using, and any passed garbage is cleaned and safe to use on the page.

Using $_SERVER['PHP_SELF']; vs htmlentities($_SERVER['PHP_SELF']); for canonical link on https

The problem: The user can control the content of $_SERVER['PHP_SELF']

Let say your code is in index.php

So when you call https://www.yourserver.com/index.php your code will worked as expacted. But index.php will also called when someone will call

http://localhost/phpinfo.php/%22/%3E%3Cscript%3Ealert('Hello');%3C/script%3E%3Cbr

The part /%22/%3E%3Cscript%3Ealert('Hello');%3C/script%3E%3Cbr is called PATHINFO

When you try it, you will see that some javascript will also executed.

Some evil user can generate such a link with any javascript in it and send it by email to his victim in the hope he will click on it, his javascript will be execute on the victim browser. So may be he can steal the session id from that user and capture his session

---

Related Topics