Re: [PHP] Which file "Included" me?
But we could use rawurlencode($_SERVER['PHP_SELF']), no? João Michael A. Peters wrote: Nisse Engström wrote: On Wed, 18 Feb 2009 10:37:53 -0800, "Michael A. Peters" wrote: http://www.gfx-depot.com/forum/-php-server-php-self-validation-t-1636.html explains a technique to validate the input as well (don't trust that is clean) Amazing! Not once did they mention htmlspecialchars(). /Nisse htmlspecialchars causes problems if you are going to use the data with DOMDocument. I believe the point was to produce a proper _SERVER['PHP_SELF'] - not a sanitized but still borked version. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Which file "Included" me?
Nisse Engström wrote: On Wed, 18 Feb 2009 10:37:53 -0800, "Michael A. Peters" wrote: http://www.gfx-depot.com/forum/-php-server-php-self-validation-t-1636.html explains a technique to validate the input as well (don't trust that is clean) Amazing! Not once did they mention htmlspecialchars(). /Nisse htmlspecialchars causes problems if you are going to use the data with DOMDocument. I believe the point was to produce a proper _SERVER['PHP_SELF'] - not a sanitized but still borked version. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Which file "Included" me?
On Wed, 18 Feb 2009 10:37:53 -0800, "Michael A. Peters" wrote: > http://www.gfx-depot.com/forum/-php-server-php-self-validation-t-1636.html > > explains a technique to validate the input as well (don't trust that is > clean) Amazing! Not once did they mention htmlspecialchars(). /Nisse -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Which file "Included" me?
> Did you actually try his example? No, I could not understand it. Now I see why: 1) Where would the "experienced hacker" enter the attack? Now I see that it is the URL of the attacked site. That was not clear, I though that it was being entered into some form element that I did not see in the code. 2) I thought that yoursite.com is the attacked site, and mysite.com is the attacking site. Now I see that the author just messed up and they both should have been yoursite.com. Why not just use SCRIPT_NAME then? It doesn't contain the path variables. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת ا-ب-ت-ث-ج-ح-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه-و-ي А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-Р-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-Э-Ю-Я а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я ä-ö-ü-ß-Ä-Ö-Ü
Re: [PHP] Which file "Included" me?
Michael A. Peters wrote: > Dotan Cohen wrote: >>> http://www.gfx-depot.com/forum/-php-server-php-self-validation-t-1636.html >>> >>> >>> explains a technique to validate the input as well (don't trust that is >>> clean) >>> >> >> I do not understand the exploit. How is he spoofing any $_SERVER >> variables? The attack description doesn't make sense. >> > > Did you actually try his example? > Some browsers may have some client side protection and not execute it. I > believe suhosin protects against it server side. > NoScript would block it, even if you had scripts enabled globally. > > > foo > > > > > > > > > > Put that on a server w/o suhosin, turn off NoScript, and try it. > If it doesn't work with current firefox - try with an older version of IE. Works for me with Firefox 3.0.6, Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.5 with Suhosin-Patch 0.9.6.2. -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Which file "Included" me?
Dotan Cohen wrote:
>> http://www.gfx-depot.com/forum/-php-server-php-self-validation-t-1636.html
>>
>> explains a technique to validate the input as well (don't trust that is
>> clean)
>>
>
> I do not understand the exploit. How is he spoofing any $_SERVER
> variables? The attack description doesn't make sense.
>
Well, when you visit that page, $_SERVER['PHP_SELF'] is set to the value
of his URL: form.php/%22%3E%3Cscript%3Ealert(’XSS
attack!’)%3C/script%3E%3Cbr
The page then echos out $_SERVER['PHP_SELF'] which when those urlencoded
characters are decoded, they become the script action that you see.
test it for yourself.
Note, if you copy paste the code, then the delimiters around XSS attack!
are actually apostrophes so it doesn't work, but if you change them to
single quotes it works as advertised, except there is a wayward " in the
as . This doesn't keep the script from executing though.
I prefer valid markup in my exploits, so I use:
form.php/%22%3E%3Cscript%3Ealert('XSS attack!')%3C/script%3E%3Chr
class=%22nothing
--
Thanks!
-Shawn
http://www.spidean.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Which file "Included" me?
Dotan Cohen wrote: http://www.gfx-depot.com/forum/-php-server-php-self-validation-t-1636.html explains a technique to validate the input as well (don't trust that is clean) I do not understand the exploit. How is he spoofing any $_SERVER variables? The attack description doesn't make sense. Did you actually try his example? Some browsers may have some client side protection and not execute it. I believe suhosin protects against it server side. NoScript would block it, even if you had scripts enabled globally. foo Put that on a server w/o suhosin, turn off NoScript, and try it. If it doesn't work with current firefox - try with an older version of IE. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Which file "Included" me?
> http://www.gfx-depot.com/forum/-php-server-php-self-validation-t-1636.html > > explains a technique to validate the input as well (don't trust that is > clean) > I do not understand the exploit. How is he spoofing any $_SERVER variables? The attack description doesn't make sense. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת ا-ب-ت-ث-ج-ح-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه-و-ي А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-Р-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-Э-Ю-Я а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я ä-ö-ü-ß-Ä-Ö-Ü
Re: [PHP] Which file "Included" me?
Robert Cummings wrote: On Wed, 2009-02-18 at 23:57 +0530, Sudheer wrote: Ed Curtis wrote: Is there a function or variable that will tell me if a file has asked another file to include something much the same as $_SERVER['HTTP_REFERER'] works. I have a script that is included on every page of a site but also needs to include some javascript only if it's called from a certain URL. thanks, Ed Are you looking for $_SERVER['PHP_SELF'] ? I'd use $_SERVER['REQUEST_URI'] :) Cheers, Rob. Hi Ed Curtis, Just do var_dump($_SERVER) ; and see which array key to use. REQUEST_URI gives you the request parameters as well, whereas PHP_SELF gives you the script name only. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Which file "Included" me?
Michael A. Peters wrote: > Ed Curtis wrote: >> Is there a function or variable that will tell me if a file has asked >> another file to include something much the same as >> $_SERVER['HTTP_REFERER'] works. I have a script that is included on >> every page of a site but also needs to include some javascript only if >> it's called from a certain URL. >> >> thanks, >> >> Ed >> > > $_SERVER['PHP_SELF'] As Rob pointed out, $_SERVER['REQUEST_URI'] will give you the URI whereas $_SERVER['PHP_SELF'] will only give the path and script name. For: http://localhost/www/test.php?var=val $_SERVER['PHP_SELF'] = /www/test.php $_SERVER['REQUEST_URI'] = /www/test.php?var=val -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Which file "Included" me?
Ed Curtis wrote: Is there a function or variable that will tell me if a file has asked another file to include something much the same as $_SERVER['HTTP_REFERER'] works. I have a script that is included on every page of a site but also needs to include some javascript only if it's called from a certain URL. thanks, Ed http://www.gfx-depot.com/forum/-php-server-php-self-validation-t-1636.html explains a technique to validate the input as well (don't trust that is clean) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Which file "Included" me?
Ed Curtis wrote: Is there a function or variable that will tell me if a file has asked another file to include something much the same as $_SERVER['HTTP_REFERER'] works. I have a script that is included on every page of a site but also needs to include some javascript only if it's called from a certain URL. thanks, Ed $_SERVER['PHP_SELF'] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Which file "Included" me?
On Wed, 2009-02-18 at 23:57 +0530, Sudheer wrote: > Ed Curtis wrote: > > Is there a function or variable that will tell me if a file has asked > > another file to include something much the same as > > $_SERVER['HTTP_REFERER'] works. I have a script that is included on > > every page of a site but also needs to include some javascript only if > > it's called from a certain URL. > > > > thanks, > > > > Ed > > > Are you looking for $_SERVER['PHP_SELF'] ? I'd use $_SERVER['REQUEST_URI'] :) Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Which file "Included" me?
Ed Curtis wrote: Is there a function or variable that will tell me if a file has asked another file to include something much the same as $_SERVER['HTTP_REFERER'] works. I have a script that is included on every page of a site but also needs to include some javascript only if it's called from a certain URL. thanks, Ed Are you looking for $_SERVER['PHP_SELF'] ? -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Which file "Included" me?
On Wed, Feb 18, 2009 at 1:16 PM, Ed Curtis wrote: > Is there a function or variable that will tell me if a file has asked > another file to include something much the same as $_SERVER['HTTP_REFERER'] > works. I have a script that is included on every page of a site but also > needs to include some javascript only if it's called from a certain URL. > > thanks, > > Ed > Maybe include_once() would help? Or require_once() ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
