Re: [PHP] Which file Included me?
But we could use rawurlencode($_SERVER['PHP_SELF']), no? João Michael A. Peters wrote: Nisse Engström wrote: On Wed, 18 Feb 2009 10:37:53 -0800, Michael A. Peters wrote: http://www.gfx-depot.com/forum/-php-server-php-self-validation-t-1636.html explains a technique to validate the input as well (don't trust that is clean) Amazing! Not once did they mention htmlspecialchars(). /Nisse htmlspecialchars causes problems if you are going to use the data with DOMDocument. I believe the point was to produce a proper _SERVER['PHP_SELF'] - not a sanitized but still borked version. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Which file Included me?
On Wed, 18 Feb 2009 10:37:53 -0800, Michael A. Peters wrote: http://www.gfx-depot.com/forum/-php-server-php-self-validation-t-1636.html explains a technique to validate the input as well (don't trust that is clean) Amazing! Not once did they mention htmlspecialchars(). /Nisse -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Which file Included me?
Nisse Engström wrote: On Wed, 18 Feb 2009 10:37:53 -0800, Michael A. Peters wrote: http://www.gfx-depot.com/forum/-php-server-php-self-validation-t-1636.html explains a technique to validate the input as well (don't trust that is clean) Amazing! Not once did they mention htmlspecialchars(). /Nisse htmlspecialchars causes problems if you are going to use the data with DOMDocument. I believe the point was to produce a proper _SERVER['PHP_SELF'] - not a sanitized but still borked version. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Which file Included me?
Is there a function or variable that will tell me if a file has asked another file to include something much the same as $_SERVER['HTTP_REFERER'] works. I have a script that is included on every page of a site but also needs to include some javascript only if it's called from a certain URL. thanks, Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Which file Included me?
On Wed, Feb 18, 2009 at 1:16 PM, Ed Curtis e_cur...@homes2see.com wrote: Is there a function or variable that will tell me if a file has asked another file to include something much the same as $_SERVER['HTTP_REFERER'] works. I have a script that is included on every page of a site but also needs to include some javascript only if it's called from a certain URL. thanks, Ed Maybe include_once() would help? Or require_once() ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Which file Included me?
Ed Curtis wrote: Is there a function or variable that will tell me if a file has asked another file to include something much the same as $_SERVER['HTTP_REFERER'] works. I have a script that is included on every page of a site but also needs to include some javascript only if it's called from a certain URL. thanks, Ed Are you looking for $_SERVER['PHP_SELF'] ? -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Which file Included me?
On Wed, 2009-02-18 at 23:57 +0530, Sudheer wrote: Ed Curtis wrote: Is there a function or variable that will tell me if a file has asked another file to include something much the same as $_SERVER['HTTP_REFERER'] works. I have a script that is included on every page of a site but also needs to include some javascript only if it's called from a certain URL. thanks, Ed Are you looking for $_SERVER['PHP_SELF'] ? I'd use $_SERVER['REQUEST_URI'] :) Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Which file Included me?
Ed Curtis wrote: Is there a function or variable that will tell me if a file has asked another file to include something much the same as $_SERVER['HTTP_REFERER'] works. I have a script that is included on every page of a site but also needs to include some javascript only if it's called from a certain URL. thanks, Ed $_SERVER['PHP_SELF'] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Which file Included me?
Ed Curtis wrote: Is there a function or variable that will tell me if a file has asked another file to include something much the same as $_SERVER['HTTP_REFERER'] works. I have a script that is included on every page of a site but also needs to include some javascript only if it's called from a certain URL. thanks, Ed http://www.gfx-depot.com/forum/-php-server-php-self-validation-t-1636.html explains a technique to validate the input as well (don't trust that is clean) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Which file Included me?
Michael A. Peters wrote: Ed Curtis wrote: Is there a function or variable that will tell me if a file has asked another file to include something much the same as $_SERVER['HTTP_REFERER'] works. I have a script that is included on every page of a site but also needs to include some javascript only if it's called from a certain URL. thanks, Ed $_SERVER['PHP_SELF'] As Rob pointed out, $_SERVER['REQUEST_URI'] will give you the URI whereas $_SERVER['PHP_SELF'] will only give the path and script name. For: http://localhost/www/test.php?var=val $_SERVER['PHP_SELF'] = /www/test.php $_SERVER['REQUEST_URI'] = /www/test.php?var=val -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Which file Included me?
Robert Cummings wrote: On Wed, 2009-02-18 at 23:57 +0530, Sudheer wrote: Ed Curtis wrote: Is there a function or variable that will tell me if a file has asked another file to include something much the same as $_SERVER['HTTP_REFERER'] works. I have a script that is included on every page of a site but also needs to include some javascript only if it's called from a certain URL. thanks, Ed Are you looking for $_SERVER['PHP_SELF'] ? I'd use $_SERVER['REQUEST_URI'] :) Cheers, Rob. Hi Ed Curtis, Just do var_dump($_SERVER) ; and see which array key to use. REQUEST_URI gives you the request parameters as well, whereas PHP_SELF gives you the script name only. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Which file Included me?
http://www.gfx-depot.com/forum/-php-server-php-self-validation-t-1636.html explains a technique to validate the input as well (don't trust that is clean) I do not understand the exploit. How is he spoofing any $_SERVER variables? The attack description doesn't make sense. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת ا-ب-ت-ث-ج-ح-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه-و-ي А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-Р-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-Э-Ю-Я а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я ä-ö-ü-ß-Ä-Ö-Ü
Re: [PHP] Which file Included me?
Dotan Cohen wrote: http://www.gfx-depot.com/forum/-php-server-php-self-validation-t-1636.html explains a technique to validate the input as well (don't trust that is clean) I do not understand the exploit. How is he spoofing any $_SERVER variables? The attack description doesn't make sense. Did you actually try his example? Some browsers may have some client side protection and not execute it. I believe suhosin protects against it server side. NoScript would block it, even if you had scripts enabled globally. html headtitlefoo/title/head body form method=post action=?php echo $_SERVER['PHP_SELF']; ? input type=submit value=submit / /form /body /html Put that on a server w/o suhosin, turn off NoScript, and try it. If it doesn't work with current firefox - try with an older version of IE. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Which file Included me?
Dotan Cohen wrote:
http://www.gfx-depot.com/forum/-php-server-php-self-validation-t-1636.html
explains a technique to validate the input as well (don't trust that is
clean)
I do not understand the exploit. How is he spoofing any $_SERVER
variables? The attack description doesn't make sense.
Well, when you visit that page, $_SERVER['PHP_SELF'] is set to the value
of his URL: form.php/%22%3E%3Cscript%3Ealert(’XSS
attack!’)%3C/script%3E%3Cbr
The page then echos out $_SERVER['PHP_SELF'] which when those urlencoded
characters are decoded, they become the script action that you see.
test it for yourself.
Note, if you copy paste the code, then the delimiters around XSS attack!
are actually apostrophes so it doesn't work, but if you change them to
single quotes it works as advertised, except there is a wayward in the
br as br. This doesn't keep the script from executing though.
I prefer valid markup in my exploits, so I use:
form.php/%22%3E%3Cscript%3Ealert('XSS attack!')%3C/script%3E%3Chr
class=%22nothing
--
Thanks!
-Shawn
http://www.spidean.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Which file Included me?
Michael A. Peters wrote: Dotan Cohen wrote: http://www.gfx-depot.com/forum/-php-server-php-self-validation-t-1636.html explains a technique to validate the input as well (don't trust that is clean) I do not understand the exploit. How is he spoofing any $_SERVER variables? The attack description doesn't make sense. Did you actually try his example? Some browsers may have some client side protection and not execute it. I believe suhosin protects against it server side. NoScript would block it, even if you had scripts enabled globally. html headtitlefoo/title/head body form method=post action=?php echo $_SERVER['PHP_SELF']; ? input type=submit value=submit / /form /body /html Put that on a server w/o suhosin, turn off NoScript, and try it. If it doesn't work with current firefox - try with an older version of IE. Works for me with Firefox 3.0.6, Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.5 with Suhosin-Patch 0.9.6.2. -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Which file Included me?
Did you actually try his example? No, I could not understand it. Now I see why: 1) Where would the experienced hacker enter the attack? Now I see that it is the URL of the attacked site. That was not clear, I though that it was being entered into some form element that I did not see in the code. 2) I thought that yoursite.com is the attacked site, and mysite.com is the attacking site. Now I see that the author just messed up and they both should have been yoursite.com. Why not just use SCRIPT_NAME then? It doesn't contain the path variables. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת ا-ب-ت-ث-ج-ح-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه-و-ي А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-Р-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-Э-Ю-Я а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я ä-ö-ü-ß-Ä-Ö-Ü
