php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #54584 Security warning needed
Submitted: 2011-04-21 10:33 UTC Modified: 2011-05-06 22:40 UTC
From: jstein at image dot dk Assigned:
Status: Not a bug Package: Documentation problem
PHP Version: 5.3.6 OS:
Private report: No CVE-ID: None
 [2011-04-21 10:33 UTC] jstein at image dot dk
Description:
------------
---
From manual page: http://www.php.net/reserved.variables.server#Indices
---

The page states that PHP_SELF contains "The filename of the currently executing script", but it actually contains all of the request path, which makes it open for HTML injection.

This is by design, but as PHP_SELF is widely used for FORM submission, I think a security warning would be appropriate.


Test script:
---------------
If a page contains
  <form action="<?php echo $_SERVER['PHP_SELF']; ?>">

-and the page is called with:
index.php/"><script>alert('Injection');</script><

The script is injected to the page.

Expected result:
----------------
The behavior is by design - I just think the documentation should contain a warning on the issue.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-04-21 21:15 UTC] dtajchreber@php.net
-Status: Open +Status: Bogus
 [2011-04-21 21:15 UTC] dtajchreber@php.net
We don't have security warnings for $_GET, $_POST, or $_COOKIE... or any pages 
that I can find. I don't think adding one to this page is all that crucial.
 [2011-04-21 21:43 UTC] tyra3l at gmail dot com
I disagree with you.
it's common knowledge that using $_GET, $_POST etc. without properly sanitazing 
first is dangerous.
but the XSS vulnerability about PHP_SELF is not that well-known.
at least for the average developers.

Tyrael
 [2011-05-06 22:39 UTC] bjori@php.net
-Type: Documentation Problem +Type: Security -Package: Security related +Package: Documentation problem -Private report: No +Private report: Yes
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Dec 02 22:01:23 2020 UTC