Dotan Cohen wrote:
>> explains a technique to validate the input as well (don't trust that is
>> clean)
> I do not understand the exploit. How is he spoofing any $_SERVER
> variables? The attack description doesn't make sense.

Well, when you visit that page, $_SERVER['PHP_SELF'] is set to the value
of his URL: form.php/%22%3E%3Cscript%3Ealert(’XSS

The page then echos out $_SERVER['PHP_SELF'] which when those urlencoded
characters are decoded, they become the script action that you see.
test it for yourself.

Note, if you copy paste the code, then the delimiters around XSS attack!
are actually apostrophes so it doesn't work, but if you change them to
single quotes it works as advertised, except there is a wayward " in the
<br> as <br">.  This doesn't keep the script from executing though.

I prefer valid markup in my exploits, so I use:

form.php/%22%3E%3Cscript%3Ealert('XSS attack!')%3C/script%3E%3Chr


PHP General Mailing List (
To unsubscribe, visit:

Reply via email to