|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #54584 Security warning needed
Submitted: 2011-04-21 10:33 UTC Modified: 2011-05-06 22:40 UTC
From: jstein at image dot dk Assigned:
Status: Not a bug Package: Documentation problem
PHP Version: 5.3.6 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: jstein at image dot dk
New email:
PHP Version: OS:


 [2011-04-21 10:33 UTC] jstein at image dot dk
From manual page:

The page states that PHP_SELF contains "The filename of the currently executing script", but it actually contains all of the request path, which makes it open for HTML injection.

This is by design, but as PHP_SELF is widely used for FORM submission, I think a security warning would be appropriate.

Test script:
If a page contains
  <form action="<?php echo $_SERVER['PHP_SELF']; ?>">

-and the page is called with:

The script is injected to the page.

Expected result:
The behavior is by design - I just think the documentation should contain a warning on the issue.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2011-04-21 21:15 UTC]
-Status: Open +Status: Bogus
 [2011-04-21 21:15 UTC]
We don't have security warnings for $_GET, $_POST, or $_COOKIE... or any pages 
that I can find. I don't think adding one to this page is all that crucial.
 [2011-04-21 21:43 UTC] tyra3l at gmail dot com
I disagree with you.
it's common knowledge that using $_GET, $_POST etc. without properly sanitazing 
first is dangerous.
but the XSS vulnerability about PHP_SELF is not that well-known.
at least for the average developers.

 [2011-05-06 22:39 UTC]
-Type: Documentation Problem +Type: Security -Package: Security related +Package: Documentation problem -Private report: No +Private report: Yes
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Wed Oct 27 06:03:32 2021 UTC