php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #54584 Security warning needed
Submitted: 2011-04-21 10:33 UTC Modified: 2011-05-06 22:40 UTC
From: jstein at image dot dk Assigned:
Status: Not a bug Package: Documentation problem
PHP Version: 5.3.6 OS:
Private report: No CVE-ID: None
View Developer Edit
 [2011-04-21 10:33 UTC] jstein at image dot dk 
Description:
------------
---
From manual page: http://www.php.net/reserved.variables.server#Indices
---

The page states that PHP_SELF contains "The filename of the currently executing script", but it actually contains all of the request path, which makes it open for HTML injection.

This is by design, but as PHP_SELF is widely used for FORM submission, I think a security warning would be appropriate.


Test script:
---------------
If a page contains
  <form action="<?php echo $_SERVER['PHP_SELF']; ?>">

-and the page is called with:
index.php/"><script>alert('Injection');</script><

The script is injected to the page.

Expected result:
----------------
The behavior is by design - I just think the documentation should contain a warning on the issue.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-04-21 21:15 UTC] dtajchreber@php.net
-Status: Open +Status: Bogus
 [2011-04-21 21:15 UTC] dtajchreber@php.net 
We don't have security warnings for $_GET, $_POST, or $_COOKIE... or any pages 
that I can find. I don't think adding one to this page is all that crucial.
 [2011-04-21 21:43 UTC] tyra3l at gmail dot com 
I disagree with you.
it's common knowledge that using $_GET, $_POST etc. without properly sanitazing 
first is dangerous.
but the XSS vulnerability about PHP_SELF is not that well-known.
at least for the average developers.

Tyrael
 [2011-05-06 22:39 UTC] bjori@php.net
-Type: Documentation Problem +Type: Security -Package: Security related +Package: Documentation problem -Private report: No +Private report: Yes
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Dec 26 13:01:30 2024 UTC