Vulnerability Development mailing list archives

Re: PHP and SCRIPT_NAME variable

From: Harald Eder <contact () eder-harald com>
Date: Wed, 22 Feb 2006 08:38:37 +0100

Sorry, I forgot to insert the initial question, here is it:

Roman Medina-Heigl Hernandez wrote:

Hello,

Last week I was thinking about the possibility for an external attacker to
influence over the following PHP variable:
$_SERVER['SCRIPT_NAME']

The former variable contains the remote path (URI) to a PHP script, so if
for instance you access with a browser to:
http://<site>/aa/bb/cc/script.php
Then SCRIPT_NAME will contain "/aa/bb/cc/script.php"

I did some basic tests with PHP 4.3.10 and the implementation seems to be safe:
- For instance, if you access something like:
http://<site>/aa/bb/../dd/cc/script.php
Then SCRIPT_NAME will be "/aa/dd/cc/script.php"
instead of "/aa/bb/../dd/cc/script.php"
- If you try:
http://<site>/aa/bb/cc/script.php/something
or
http://<site>/aa/bb/cc/script.php?something
Then SCRIPT_NAME will contain "/aa/bb/cc/script.php"

My goal is to be able to add some attacker-specified string to the
variable. Two questions:
1) Do you know of any trick/method by which an attacker could alter
SCRIPT_NAME variable? (obviusly without having access to docroot directory
and/or edit httpd.conf)
2) Perhaps older PHP versions didn't sanitize SCRIPT_NAME variable
correctly and could be abused? Any idea?

TIA.

Cheers,
-Román


Regards,
Harald Eder


Serg Belokamen wrote::

Sorry I haven't been following the topic from the very beginning,
could someone please re-post the original question.

Thank you,
   Serg

On 21 Feb 2006 22:00:18 -0000, contact () eder-harald com
<contact () eder-harald com> wrote:

Hi,

as far as I know the elements of the $_SERVER array are filled by the webserver and therefore a manipulation through a 
php trick might by difficult.

From my opinion it will be easier to alter this values through a trick on the webserver for instance by using a bug in 
Apache but I do not know about any which might do this.

Anyway, its quite a interesting point of view because many php scripts use the $_SERVER['REMOTE_ADDR'] value for their 
session management und maybe some other array items too.

But it would be also quite interesting if php uses the items of this array to do something or if its just an array with 
no effect for the php scripts. Does anybody know more about this?

Current thread:

PHP and SCRIPT_NAME variable Roman Medina-Heigl Hernandez (Feb 21)
- <Possible follow-ups>
- Re: PHP and SCRIPT_NAME variable contact (Feb 21)
  - Message not available
    - Re: PHP and SCRIPT_NAME variable Harald Eder (Feb 22)
    - Re: PHP and SCRIPT_NAME variable Serg Belokamen (Feb 23)
    - Re: PHP and SCRIPT_NAME variable Roman Medina-Heigl Hernandez (Feb 23)