Re: PHP and SCRIPT_NAME variable

["Serg Belokamen" <serg.belokamen () gmail com>]

I am quiet sure you can't exploit $_SERVER["SCRIPT_NAME"] variable
unless there is a buffer overflow or something, but then again you
would be limited by the size of data allowed withing GET request... So
doubt you get anything evil out of that.

However if you swap yoru example from:

$_SERVER["SCRIPT_NAME"]

to

$_SERVER["PHP_SELF"]

That a lot of forms use as a value for "action" attribute you will
then be able to perform XSS attack with something equivalant to:

http://<site>/aa/bb/../dd/cc/script.php/URL_ENCODED_STRING

It works, you will need to anticipate where you need to close and open
a tag to still have a valid HTML file.

For example:

Valid:
<form method="POST" action="<?= $_SERVER["PHP_SELF"] ?>">

Attack string:
/">URL_ENCODED_JS_STRING<span id="

Attack URL:
http://<site>/aa/bb/../dd/cc/script.php/">URL_ENCODED_JS_STRING<span id="

Result:
<form method="POST" action="<?= $_SERVER["PHP_SELF"]
?>">URL_ENCODED_JS_STRING<span id="">

This is from memory, I actualy have a working example at home to setup
SID theft environment via XSS... Can post in greater detail if need
be, but Google should have the info anyway.

   Hope it helps,
      Serg

On 22/02/06, Harald Eder <contact () eder-harald com> wrote:
> Sorry, I forgot to insert the initial question, here is it:
>
> Roman Medina-Heigl Hernandez wrote:
> > Hello,
> >
> > Last week I was thinking about the possibility for an external attacker to
> > influence over the following PHP variable:
> > $_SERVER['SCRIPT_NAME']
> >
> > The former variable contains the remote path (URI) to a PHP script, so if
> > for instance you access with a browser to:
> > http://<site>/aa/bb/cc/script.php
> > Then SCRIPT_NAME will contain "/aa/bb/cc/script.php"
> >
> > I did some basic tests with PHP 4.3.10 and the implementation seems to be safe:
> > - For instance, if you access something like:
> > http://<site>/aa/bb/../dd/cc/script.php
> > Then SCRIPT_NAME will be "/aa/dd/cc/script.php"
> > instead of "/aa/bb/../dd/cc/script.php"
> > - If you try:
> > http://<site>/aa/bb/cc/script.php/something
> > or
> > http://<site>/aa/bb/cc/script.php?something
> > Then SCRIPT_NAME will contain "/aa/bb/cc/script.php"
> >
> > My goal is to be able to add some attacker-specified string to the
> > variable. Two questions:
> > 1) Do you know of any trick/method by which an attacker could alter
> > SCRIPT_NAME variable? (obviusly without having access to docroot directory
> > and/or edit httpd.conf)
> > 2) Perhaps older PHP versions didn't sanitize SCRIPT_NAME variable
> > correctly and could be abused? Any idea?
> >
> > TIA.
> >
> > Cheers,
> > -Román
>
> Regards,
> Harald Eder
>
>
> Serg Belokamen wrote::
> > Sorry I haven't been following the topic from the very beginning,
> > could someone please re-post the original question.
> >
> > Thank you,
> >    Serg
> >
> > On 21 Feb 2006 22:00:18 -0000, contact () eder-harald com
> > <contact () eder-harald com> wrote:
> >
> > > Hi,
> > >
> > > as far as I know the elements of the $_SERVER array are filled by the webserver and therefore a manipulation 
> > > through a php trick might by difficult.
> > >
> > > From my opinion it will be easier to alter this values through a trick on the webserver for instance by using a 
> > > bug in Apache but I do not know about any which might do this.
> > >
> > > Anyway, its quite a interesting point of view because many php scripts use the $_SERVER['REMOTE_ADDR'] value for 
> > > their session management und maybe some other array items too.
> > >
> > > But it would be also quite interesting if php uses the items of this array to do something or if its just an array 
> > > with no effect for the php scripts. Does anybody know more about this?