|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #54584 Security warning needed
Submitted: 2011-04-21 10:33 UTC Modified: 2011-05-06 22:40 UTC
From: jstein at image dot dk Assigned:
Status: Not a bug Package: Documentation problem
PHP Version: 5.3.6 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
23 - 22 = ?
Subscribe to this entry?

 [2011-04-21 10:33 UTC] jstein at image dot dk
From manual page:

The page states that PHP_SELF contains "The filename of the currently executing script", but it actually contains all of the request path, which makes it open for HTML injection.

This is by design, but as PHP_SELF is widely used for FORM submission, I think a security warning would be appropriate.

Test script:
If a page contains
  <form action="<?php echo $_SERVER['PHP_SELF']; ?>">

-and the page is called with:

The script is injected to the page.

Expected result:
The behavior is by design - I just think the documentation should contain a warning on the issue.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2011-04-21 21:15 UTC]
-Status: Open +Status: Bogus
 [2011-04-21 21:15 UTC]
We don't have security warnings for $_GET, $_POST, or $_COOKIE... or any pages 
that I can find. I don't think adding one to this page is all that crucial.
 [2011-04-21 21:43 UTC] tyra3l at gmail dot com
I disagree with you.
it's common knowledge that using $_GET, $_POST etc. without properly sanitazing 
first is dangerous.
but the XSS vulnerability about PHP_SELF is not that well-known.
at least for the average developers.

 [2011-05-06 22:39 UTC]
-Type: Documentation Problem +Type: Security -Package: Security related +Package: Documentation problem -Private report: No +Private report: Yes
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Jul 29 20:01:24 2021 UTC