News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Gareth Heyes' Blog:
Exploiting PHP SELF
January 14, 2008 @ 07:54:00

Gareth Heyes has a new post today talking about one of the vulnerable values in the $_SERVER superglobal - PHP_SELF.

I thought it might be a good idea to gather a few test cases demonstrating the problem. Why PHP allows these URL's is beyond me and it wouldn't take much work to filter out these malicious URL's in the PHP code.

He provides four test cases to show how simple it is to abuse - one using a HTTP header, another pushing XSS through, the third mentions search pages and the fourth a direct code injection.

You can download the code here.

0 comments voice your opinion now!
exploit phpself superglobal inject testcase security exploit phpself superglobal inject testcase security


blog comments powered by Disqus

Similar Posts

CodePoets.co.uk: How to use PHP and PEAR MDB2 (Tutorial)

Zend: Webinar - PHP Security Basics (Nov 28th @ 9am PST)

Lukas Smith's Blog: QA in the PHP world

NETTUTS.com: Can You Hack Your Own Site? A Look at Some Essential Security Considerations

Greg Beaver\'s Blog: Why it is very important to upgrade to PEAR 1.4.6 from PEAR 1.3.x


Community Events





Don't see your event here?
Let us know!


developer api interview podcast language release unittest install introduction application bugfix series list configure community library laravel code threedevsandamaybe wordpress

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework