Michael A. Peters wrote:
> Dotan Cohen wrote:
>>> http://www.gfx-depot.com/forum/-php-server-php-self-validation-t-1636.html
>>>
>>>
>>> explains a technique to validate the input as well (don't trust that is
>>> clean)
>>>
>>
>> I do not understand the exploit. How is he spoofing any $_SERVER
>> variables? The attack description doesn't make sense.
>>
> 
> Did you actually try his example?
> Some browsers may have some client side protection and not execute it. I
> believe suhosin protects against it server side.
> NoScript would block it, even if you had scripts enabled globally.
> 
> <html>
> <head><title>foo</title></head>
> 
> <body>
> <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
>   <input type="submit" value="submit" />
> </form>
> </body>
> 
> </html>
> 
> Put that on a server w/o suhosin, turn off NoScript, and try it.
> If it doesn't work with current firefox - try with an older version of IE.

Works for me with Firefox 3.0.6, Apache/2.2.8 (Ubuntu)
PHP/5.2.4-2ubuntu5.5 with Suhosin-Patch 0.9.6.2.

-- 
Thanks!
-Shawn
http://www.spidean.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to