Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 21
  1. #1
    New Coder
    Join Date
    Aug 2007
    Location
    Germany
    Posts
    22
    Thanks
    4
    Thanked 2 Times in 2 Posts

    Secure $_SERVER superglobals?

    Hallo all!

    I've read on the weekend, that $_SERVER superglobals are not safe.
    PHP Arcitect's Guide to PHP Security states:
    Code:
    // Given URL of: php.php/%22%3E%3Cscript%3Ealert(‘xss’)%3C/script%3E%3Cfoo
    // Server Environment Variables will be as follows:
    $_SERVER[“PATH_INFO”] = /”><script>alert(‘xss’)</script><foo
    $_SERVER[“PATH_TRANSLATED”] =/home/forum/F/”><script>alert(‘xss’)</script><foo
    $_SERVER[“PHP_SELF”] = /php.php/”><script>alert(‘xss’)</script><foo
    But the book not clearly describes how this variables can be exploited.

    Should I realy test all $_SERVER superglobals or only those I am using somewhere in the program, eg $_SERVER[“PHP_SELF”]?

    would I not spoil their content if I do following:
    $_SERVER[“PHP_SELF”]=htmlspecialchars($_SERVER[“PHP_SELF”])?

    Are there any standard methods to make superglobals safe?

    thx in advance
    Last edited by alex375; 09-03-2007 at 03:03 PM.

  • #2
    Senior Coder rafiki's Avatar
    Join Date
    Aug 2006
    Location
    Floating around somewhere...
    Posts
    2,046
    Thanks
    19
    Thanked 42 Times in 42 Posts
    i dont think that PHP will allow you to set $_SERVER['PHP_SELF'] because its name would be reserved, however you can
    PHP Code:
    $var htmlspecialchars($_SERVER['PHP_SELF']);
    //then use $var accordingly 
    not sure if thats the best/safest way to clean super globals

  • #3
    New Coder
    Join Date
    Aug 2007
    Location
    Germany
    Posts
    22
    Thanks
    4
    Thanked 2 Times in 2 Posts
    rafiki, thank you for your quick answer, but the main question still is:
    should i secury them?

    If i have in form eg

    action="$_SERVER[“PHP_SELF”]" (this is only a general example)

    But teoretically if some javasctipt code is ebedded in it, it could be quite dangerous..

  • #4
    Senior Coder kbluhm's Avatar
    Join Date
    Apr 2007
    Location
    Philadelphia, PA, USA
    Posts
    1,509
    Thanks
    3
    Thanked 258 Times in 254 Posts
    You can Indeed change superglobal values:
    PHP Code:
    <?php

    echo $_SERVER['PHP_SELF'];

    $_SERVER['PHP_SELF'] = 'Hello.';

    echo 
    "\n"$_SERVER['PHP_SELF'];

    ?>
    Outputs:
    Code:
    /folder/file.php
    Hello.

  • Users who have thanked kbluhm for this post:

    rafiki (09-03-2007)

  • #5
    Senior Coder rafiki's Avatar
    Join Date
    Aug 2006
    Location
    Floating around somewhere...
    Posts
    2,046
    Thanks
    19
    Thanked 42 Times in 42 Posts
    if your paranoid why dont you just set the form action to pagename.php

  • #6
    New Coder
    Join Date
    Aug 2007
    Location
    Germany
    Posts
    22
    Thanks
    4
    Thanked 2 Times in 2 Posts
    I am not paranoid and I don't use PHP_SELF in the forms, as I said that was a general example, not my special case. I just want to make it realy hard to hack my site

    so it is possible, but how than I can strip the content of PHP_SELF or other server superglobals in the way to make them completely safe?
    I assume I should expect no danger from the superglobals i don't even use, am I right?
    Last edited by alex375; 09-03-2007 at 02:06 PM.

  • #7
    Senior Coder rafiki's Avatar
    Join Date
    Aug 2006
    Location
    Floating around somewhere...
    Posts
    2,046
    Thanks
    19
    Thanked 42 Times in 42 Posts
    you could use functions to check and see if the super globals contain anything like <script> etc..

  • #8
    New Coder
    Join Date
    Aug 2007
    Location
    Germany
    Posts
    22
    Thanks
    4
    Thanked 2 Times in 2 Posts
    would it not be a little too hard if I use something like:
    Code:
    $_SERVER= array_map('htmlspecialchars', $_SERVER);
    I could slow down the server...

    any other ideas?

  • #9
    Regular Coder
    Join Date
    May 2006
    Location
    Wales
    Posts
    820
    Thanks
    1
    Thanked 82 Times in 79 Posts
    'HTTP_ACCEPT'
    Contents of the Accept: header from the current request, if there is one.
    'HTTP_ACCEPT_CHARSET'
    Contents of the Accept-Charset: header from the current request, if there is one. Example: 'iso-8859-1,*,utf-8'.
    'HTTP_ACCEPT_ENCODING'
    Contents of the Accept-Encoding: header from the current request, if there is one. Example: 'gzip'.
    'HTTP_ACCEPT_LANGUAGE'
    Contents of the Accept-Language: header from the current request, if there is one. Example: 'en'.
    'HTTP_CONNECTION'
    Contents of the Connection: header from the current request, if there is one. Example: 'Keep-Alive'.
    'HTTP_HOST'
    Contents of the Host: header from the current request, if there is one.
    'HTTP_REFERER'
    The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
    'HTTP_USER_AGENT'
    Contents of the User-Agent: header from the current request, if there is one. This is a string denoting the user agent being which is accessing the page. A typical example is: Mozilla/4.5 [en] (X11; U; Linux 2.2.9 i586). Among other things, you can use this value with get_browser() to tailor your page's output to the capabilities of the user agent.
    Those are the only ones that are set by the headers when I looked at the predefined variables list that I could find

  • Users who have thanked Mwnciau for this post:

    alex375 (09-03-2007)

  • #10
    Senior Coder rafiki's Avatar
    Join Date
    Aug 2006
    Location
    Floating around somewhere...
    Posts
    2,046
    Thanks
    19
    Thanked 42 Times in 42 Posts
    if you want to run checks only on certain super globals use
    PHP Code:
    //if PHP_SELF contains <script> die()
    if (ereg("<script>", {$_SERVER['PHP_SELF']})){
    $error 'No way Hosay... no attacks on my site.';
    die(
    $error);
    }else{
    print 
    $_SERVER['PHP_SELF'];


  • Users who have thanked rafiki for this post:

    alex375 (09-03-2007)

  • #11
    Regular Coder
    Join Date
    May 2006
    Location
    Wales
    Posts
    820
    Thanks
    1
    Thanked 82 Times in 79 Posts
    Surely javascript on your site would only break it for the person with the headers? Javascript is run client side so it can only affect them...

  • #12
    Senior Coder rafiki's Avatar
    Join Date
    Aug 2006
    Location
    Floating around somewhere...
    Posts
    2,046
    Thanks
    19
    Thanked 42 Times in 42 Posts
    you could have something like
    Code:
    ; echo $mysql_conn;
    or something similar to echo out sensitive information..

  • #13
    Regular Coder
    Join Date
    May 2006
    Location
    Wales
    Posts
    820
    Thanks
    1
    Thanked 82 Times in 79 Posts
    Quote Originally Posted by rafiki View Post
    you could have something like
    Code:
    ; echo $mysql_conn;
    or something similar to echo out sensitive information..
    Yes, but javascript can't access that data.

  • #14
    Senior Coder NancyJ's Avatar
    Join Date
    Feb 2005
    Location
    Bradford, UK
    Posts
    3,174
    Thanks
    19
    Thanked 66 Times in 65 Posts
    Quote Originally Posted by Mwnciau View Post
    Yes, but javascript can't access that data.
    It doesnt need to. If the information is echoed out then it would be on the screen and the person could just write it down or copy it.

    I have actually done some xss - just to prove a point. I modified a forum sig to have some malicious code in it that executed the PM script on their server. the javascript read their site cookies and PMed them to my account. Ofcourse, being the nice person I am I put an alert in the script to tell them it was being done.

    The basic point is never echo out, execute or put in an sql query user input without sanitizing it first. That includes headers sent by the browser, which can be manipulated.

  • #15
    Senior Coder NancyJ's Avatar
    Join Date
    Feb 2005
    Location
    Bradford, UK
    Posts
    3,174
    Thanks
    19
    Thanked 66 Times in 65 Posts
    Quote Originally Posted by rafiki View Post
    you could have something like
    Code:
    ; echo $mysql_conn;
    or something similar to echo out sensitive information..
    You would have to exec() that for it to actually echo anything out.


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •