| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <43F9DAEF.4020109@rs-labs.com> Date: Mon Feb 20 15:08:34 2006 From: roman at rs-labs.com (Roman Medina-Heigl Hernandez) Subject: PHP and SCRIPT_NAME variable Hello, Last week I was thinking about the possibility for an external attacker to influence over the following PHP variable: $_SERVER['SCRIPT_NAME'] The former variable contains the remote path (URI) to a PHP script, so if for instance you access with a browser to: http://<site>/aa/bb/cc/script.php Then SCRIPT_NAME will contain "/aa/bb/cc/script.php" I did some basic tests with PHP 4.3.10 and the implementation seems to be safe: - For instance, if you access something like: http://<site>/aa/bb/../dd/cc/script.php Then SCRIPT_NAME will be "/aa/dd/cc/script.php" instead of "/aa/bb/../dd/cc/script.php" - If you try: http://<site>/aa/bb/cc/script.php/something or http://<site>/aa/bb/cc/script.php?something Then SCRIPT_NAME will contain "/aa/bb/cc/script.php" My goal is to be able to add some attacker-specified string to the variable. Two questions: 1) Do you know of any trick/method by which an attacker could alter SCRIPT_NAME variable? (obviusly without having access to docroot directory and/or edit httpd.conf) 2) Perhaps older PHP versions didn't sanitize SCRIPT_NAME variable correctly and could be abused? Any idea? TIA. Cheers, -Rom?n
Powered by blists - more mailing lists