This isn't only a problem with that specific variable, it is also a problem with any user-defined variable, i.e.
<? echo $_GET['page']; ?> can be XSS'd with script.php?page=<b>blah</b> However: <? echo htmlentities($_GET['page']); ?> is much harder to exploit to inject malicious code. I beleive the following: If your program/script accepts any user input, never assume something else will block the exploit of your program, always impliment sanity checks, and/or strip nonsense out of the input. On Monday 23 April 2007 18:21, Michał Majchrowicz wrote: > I agree. But (as a programmer) would you assume that there can be such > things in the REQUEST_METHOD? The flaw is that Apache accepts anything > after the valid request i.e. GET. There should be an error the the > request was not correct. > Regards Michal. > > On 4/24/07, Kradorex Xeron <[EMAIL PROTECTED]> wrote: > > This is a case of poor-programming, on the script coder's part, it is not > > so much a vunerability. > > > > That variable only contains what it is sent by apache. it doesn't parse > > it. nor is it supposed to. If you want to ensure there is no XSS going > > on, parse the variable, escape characters, etc as it IS user input. > > > > This CAN be a vulnerability with individual scripts, however, it is not a > > vuln with PHP or Apache. > > > > On Monday 23 April 2007 17:31, Michal Majchrowicz wrote: > > > There exist a flaw in a way how Apache and php combination handle the > > > $_SERVER array. > > > If the programmer writes scrip like this: > > > <?php > > > echo $_SERVER['REQUEST_METHOD']; > > > ?> > > > He will assume that REQUEST_METHOD can only by: GET,POST,OPTIONS,TRACE > > > and all that stuff. However this is not true, since Apache accepts > > > requests that look like this: > > > GET<script>alert(document.coookie);</script> /test.php HTTP/1.0 > > > And the output for this would be: > > > GET<script>alert(document.coookie);</script> > > > Of course it is hard to exploit (I think some Flash might help ;)) and > > > I don't know if it is exploitable at all. But programmers should be > > > warned about this behaviour. You can't trust any variable in the > > > $_SERVER table! > > > Regards Michal Majchrowicz. > > > > > > _______________________________________________ > > > Full-Disclosure - We believe in it. > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
