PHPDeveloper: PHP News, Views and Community

Subscribe

@phpdeveloper.org

News Archive

Community News: Latest PEAR Releases (03.18.2024)

Community News: Latest PEAR Releases (03.11.2024)

Community News: Latest PECL Releases (03.05.2024)

Community News: Latest PECL Releases (02.27.2024)

Community News: Latest PEAR Releases (02.26.2024)

Community News: Latest PECL Releases (02.20.2024)

Community News: Latest PECL Releases (02.13.2024)

Community News: Latest PEAR Releases (02.12.2024)

Community News: Latest PECL Releases (02.06.2024)

Community News: Latest PECL Releases (01.30.2024)

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Gareth Heyes' Blog:
PHP self return of the slash

byChris Cornutt Sep 25, 2009 @ 15:31:24

In this new post to his blog Gareth Heyes points out a legacy issue that those running older PHP4-based code might want to look into:

I thought about something I found ages ago in PHP4 and itâ€™s been long enough now. This is also quite funny because my server is vulnerable to this. So what happens if you escape PHP_SELF with htmlentities($_SERVER['PHP_SELF'], ENT_QUOTES)? Safe from XSS? I hope so. Safe from everything? Well not really or at least it didnâ€™t used to be.

He gives a simple example of how the PHP_SELF issue can be used to change the form's target just by using a few well-placed slashes. Thankfully, this seems to be only back in the world of PHP4, so those working with PHP5 should be safe.