I agree. But (as a programmer) would you assume that there can be such things in the REQUEST_METHOD? The flaw is that Apache accepts anything after the valid request i.e. GET. There should be an error the the request was not correct. Regards Michal.
On 4/24/07, Kradorex Xeron <[EMAIL PROTECTED]> wrote: > This is a case of poor-programming, on the script coder's part, it is not so > much a vunerability. > > That variable only contains what it is sent by apache. it doesn't parse it. > nor is it supposed to. If you want to ensure there is no XSS going on, parse > the variable, escape characters, etc as it IS user input. > > This CAN be a vulnerability with individual scripts, however, it is not a vuln > with PHP or Apache. > > On Monday 23 April 2007 17:31, Michal Majchrowicz wrote: > > There exist a flaw in a way how Apache and php combination handle the > > $_SERVER array. > > If the programmer writes scrip like this: > > <?php > > echo $_SERVER['REQUEST_METHOD']; > > ?> > > He will assume that REQUEST_METHOD can only by: GET,POST,OPTIONS,TRACE > > and all that stuff. However this is not true, since Apache accepts > > requests that look like this: > > GET<script>alert(document.coookie);</script> /test.php HTTP/1.0 > > And the output for this would be: > > GET<script>alert(document.coookie);</script> > > Of course it is hard to exploit (I think some Flash might help ;)) and > > I don't know if it is exploitable at all. But programmers should be > > warned about this behaviour. You can't trust any variable in the > > $_SERVER table! > > Regards Michal Majchrowicz. > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
