[opensuse] PHP Question
Hi all, After turning off PHP global variables this line will no longer work. <form method="post" action="<?php echo $PHP_SELF?>"> When I use the form the source looks like this: <form method="post" action=""> So, the problem is $PHP_SELF. Can someone tell me what to use instead? Thanks! JIM -- Jim Hatridge Linux User #88484 Ebay ID: WartHogBulletin ------------------------------------------------------ WartHog Bulletin Info about new German Stamps http://www.WartHogBulletin.de Many Enemies -- Much Honor! Anti-US Propaganda stamp collection http://www.manyenemies-muchhonor.info An American in Bavaria http://www.gaubodengalerie.de -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, 2007-04-27 at 17:44 +0200, James Hatridge wrote:
Hi all,
After turning off PHP global variables this line will no longer work.
<form method="post" action="<?php echo $PHP_SELF?>">
When I use the form the source looks like this:
<form method="post" action="">
<form method="post" action="<?php echo $SEVER['PHP_SELF']; ?>"> -- JDL -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi John et al.. On Friday 27 April 2007 18:47, John D Lamb wrote:
On Fri, 2007-04-27 at 17:44 +0200, James Hatridge wrote:
Hi all,
After turning off PHP global variables this line will no longer work.
<form method="post" action="<?php echo $PHP_SELF?>">
When I use the form the source looks like this:
<form method="post" action="">
<form method="post" action="<?php echo $SEVER['PHP_SELF']; ?>">
I tried this (with $SERVER, not SEVER) and did not work. It had the same error. Any other ideas? Thanks, JIM -- Jim Hatridge Linux User #88484 Ebay ID: WartHogBulletin ------------------------------------------------------ WartHog Bulletin Info about new German Stamps http://www.WartHogBulletin.de Many Enemies -- Much Honor! Anti-US Propaganda stamp collection http://www.manyenemies-muchhonor.info An American in Bavaria http://www.gaubodengalerie.de -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Hatridge wrote:
Hi John et al.. On Friday 27 April 2007 18:47, John D Lamb wrote:
On Fri, 2007-04-27 at 17:44 +0200, James Hatridge wrote:
Hi all,
After turning off PHP global variables this line will no longer work.
<form method="post" action="<?php echo $PHP_SELF?>">
When I use the form the source looks like this:
<form method="post" action=""> <form method="post" action="<?php echo $SEVER['PHP_SELF']; ?>">
I tried this (with $SERVER, not SEVER) and did not work. It had the same error. Any other ideas?
It's $_SERVER. http://www.php.net/manual/en/reserved.variables.php -- Jonathan Arnold (mailto:jdarnold@buddydog.org) Daemon Dancing in the Dark, an Open OS weblog: http://freebsd.amazingdev.com/blog/ UNIX is user-friendly. It's just a bit picky about who its friends are. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John D Lamb wrote:
On Fri, 2007-04-27 at 17:44 +0200, James Hatridge wrote:
Hi all,
After turning off PHP global variables this line will no longer work.
<form method="post" action="<?php echo $PHP_SELF?>">
When I use the form the source looks like this:
<form method="post" action="">
<form method="post" action="<?php echo $SEVER['PHP_SELF']; ?>">
s/EV/ERV/ -- Jos van Kan registered Linux user #152704 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John D Lamb escribió:
<form method="post" action="<?php echo $SEVER['PHP_SELF']; ?>">
Sure,and then you get a free security hole. it should say. <form method="post" action="<?php echo $_SERVER['SCRIPT_NAME']; ?>"> or in case you **really** want to use PHP_SELF <form method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>">
On Friday 27 April 2007 14:26, Cristian Rodriguez R. wrote:
John D Lamb escribió:
<form method="post" action="<?php echo $SEVER['PHP_SELF']; ?>">
Sure,and then you get a free security hole.
it should say.
<form method="post" action="<?php echo $_SERVER['SCRIPT_NAME']; ?>">
or in case you **really** want to use PHP_SELF
<form method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>">
If that's true, then anyone could just grab the HTML, change the SCRIPT_NAME back to PHP_SELF, edit or add an action= attribute so the original server's URL is targeted and that server is rendered vulnerable again. So again I ask, is PHP really this unsecure? Are all the phpBB sites, all the MediaWikis (including WikiPedia) vulnerable to such a trivial exploit? I hope not... Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Randall R Schulz escribió:
On Friday 27 April 2007 14:26, Cristian Rodriguez R. wrote:
John D Lamb escribió:
<form method="post" action="<?php echo $SEVER['PHP_SELF']; ?>"> Sure,and then you get a free security hole.
it should say.
<form method="post" action="<?php echo $_SERVER['SCRIPT_NAME']; ?>">
or in case you **really** want to use PHP_SELF
<form method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>">
If that's true, then anyone could just grab the HTML, change the SCRIPT_NAME back to PHP_SELF,
huh ? PHP is interpreted on the server .. they will not be able to change what code is executed in the server. however in this case there is an XSS hole if you use PHP_SELF without sanitization. see an practical example http://blog.phpdoc.info/archives/13-XSS-Woes.html
On Friday 27 April 2007 15:16, Cristian Rodriguez R. wrote:
Randall R Schulz escribió:
On Friday 27 April 2007 14:26, Cristian Rodriguez R. wrote:
<form method="post" action="<?php echo $SEVER['PHP_SELF']; ?>">
Sure,and then you get a free security hole.
it should say.
<form method="post" action="<?php echo $_SERVER['SCRIPT_NAME']; ?>">
or in case you **really** want to use PHP_SELF
<form method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>">
If that's true, then anyone could just grab the HTML, change the SCRIPT_NAME back to PHP_SELF,
huh ? PHP is interpreted on the server .. they will not be able to change what code is executed in the server.
I know PHP runs on the server. But you're talking about <form> elements in the HTML that resides in clients browsers. You can serve anything you like, but you cannot keep people from altering it and then loading the altered HTML into their browser and submitting the form-generated requests from the altered HTML to your server. In essence you're accepting fragments of PHP code from the client, which is often a security risk. It's similar to taking user-supplied text, interleaving it with fragments of SQL statement text and submitting the result as commands to your database.
...
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Randall R Schulz escribió: In essence you're accepting fragments of PHP code
from the client
nope. Im accepting a value of type string, that in this particular case can be used to execute malicouos code **in the client side**. You are mixing apples with pears, Sql Injection is one thing and XSS is other quite different but caused by the same problem, bad user input validation/escaping/whatever. ( not a PHP problem, btw)
On Friday 27 April 2007 19:09, Cristian Rodriguez R. wrote:
Randall R Schulz escribió:
In essence you're accepting fragments of PHP code
from the client
nope. Im accepting a value of type string, that in this particular case can be used to execute malicouos code **in the client side**.
But as you said, the PHP is only running on the server.
You are mixing apples with pears, Sql Injection is one thing and XSS is other quite different but caused by the same problem, bad user input validation/escaping/whatever. ( not a PHP problem, btw)
You've got to clarify this. I see an HTML form that submits PHP code. How is that not an avenue for an injection exploit? What is XSS? Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Randall R Schulz escribió:
You've got to clarify this. I see an HTML form that submits PHP code.
no, the html form does not submit PHP code, what you are seeing **is** PHP code mixed with html, that is interpreted on the server. <form method="post" action="<?php echo $SEVER['PHP_SELF']; ?>"> will be displayed to the user browser as: <form method="post" action="myscript.php"> where myscript.php is the name of the current script in execution. in this case, the programmer laziness permits and XSS attack. http://example.com/myscript.php/%22%3E%3Cscript%3Ealert('xss')%3C/script%3E%3Cfoo as PHP_SELF contains more than the script name, it contains PATH_INFO and other stuff, if you really only want the script name.. you have to use $_SERVER['SCRIPT_NAME'];
How is that not an avenue for an injection exploit?
it is, but for XSS.
What is XSS?
XSS == Cross Site Scripting http://en.wikipedia.org/wiki/Cross_site_scripting
On Friday 27 April 2007 20:37, Cristian Rodriguez R. wrote:
Randall R Schulz escribió:
You've got to clarify this. I see an HTML form that submits PHP code.
no, the html form does not submit PHP code, what you are seeing **is** PHP code mixed with html, that is interpreted on the server.
<form method="post" action="<?php echo $SEVER['PHP_SELF']; ?>">
will be displayed to the user browser as:
<form method="post" action="myscript.php">
where myscript.php is the name of the current script in execution.
in this case, the programmer laziness permits and XSS attack.
I see.
...
How is that not an avenue for an injection exploit?
it is, but for XSS.
What is XSS?
XSS == Cross Site Scripting
I'm aware of the issue, just not the acronym. RRS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, 2007-04-27 at 17:26 -0400, Cristian Rodriguez R. wrote:
John D Lamb escribió:
<form method="post" action="<?php echo $SEVER['PHP_SELF']; ?>">
Sure,and then you get a free security hole.
Oops. I should have copied this instead of assuming I wouldn't make two errors in a single line of code. -- JDL -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John D Lamb escribió:
On Fri, 2007-04-27 at 17:26 -0400, Cristian Rodriguez R. wrote:
John D Lamb escribió:
<form method="post" action="<?php echo $SEVER['PHP_SELF']; ?>">
Sure,and then you get a free security hole.
Oops. I should have copied this instead of assuming I wouldn't make two errors in a single line of code.
Dont worry too much, this specific bug is present in a lot of applications, even in a well known PHP security guide that is widely used as a good programming reference..see my blog post http://blog.flyspray.org/archives/7-Amusing-security-hole-in-Shifletts-secur...
participants (6)
-
Cristian Rodriguez R. -
James Hatridge -
John D Lamb -
Jonathan Arnold -
Jos van Kan -
Randall R Schulz