Dotan Cohen wrote:
>> http://www.gfx-depot.com/forum/-php-server-php-self-validation-t-1636.html
>>
>> explains a technique to validate the input as well (don't trust that is
>> clean)
>>
>
> I do not understand the exploit. How is he spoofing any $_SERVER
> variables? The attack description doesn't make sense.
>
Well, when you visit that page, $_SERVER['PHP_SELF'] is set to the value
of his URL: form.php/%22%3E%3Cscript%3Ealert(’XSS
attack!’)%3C/script%3E%3Cbr
The page then echos out $_SERVER['PHP_SELF'] which when those urlencoded
characters are decoded, they become the script action that you see.
test it for yourself.
Note, if you copy paste the code, then the delimiters around XSS attack!
are actually apostrophes so it doesn't work, but if you change them to
single quotes it works as advertised, except there is a wayward " in the
<br> as <br">. This doesn't keep the script from executing though.
I prefer valid markup in my exploits, so I use:
form.php/%22%3E%3Cscript%3Ealert('XSS attack!')%3C/script%3E%3Chr
class=%22nothing
--
Thanks!
-Shawn
http://www.spidean.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
