| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 24 Apr 2007 17:26:21 +0200 From: "Michał Majchrowicz" <mmajchrowicz@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: Apache/PHP REQUEST_METHOD XSS Vulnerability If you use htmlentitles it is still exploitable. The problem is that Apache accepts chars wich it shouldn't. Regards Michal. On 4/24/07, Kradorex Xeron <admin@...ibase.ca> wrote: > This isn't only a problem with that specific variable, it is also a problem > with any user-defined variable, i.e. > > <? > echo $_GET['page']; > ?> > can be XSS'd with script.php?page=<b>blah</b> > > However: > > <? > echo htmlentities($_GET['page']); > ?> > is much harder to exploit to inject malicious code. > > I beleive the following: If your program/script accepts any user input, never > assume something else will block the exploit of your program, always > impliment sanity checks, and/or strip nonsense out of the input. > > On Monday 23 April 2007 18:21, Michał Majchrowicz wrote: > > I agree. But (as a programmer) would you assume that there can be such > > things in the REQUEST_METHOD? The flaw is that Apache accepts anything > > after the valid request i.e. GET. There should be an error the the > > request was not correct. > > Regards Michal. > > > > On 4/24/07, Kradorex Xeron <admin@...ibase.ca> wrote: > > > This is a case of poor-programming, on the script coder's part, it is not > > > so much a vunerability. > > > > > > That variable only contains what it is sent by apache. it doesn't parse > > > it. nor is it supposed to. If you want to ensure there is no XSS going > > > on, parse the variable, escape characters, etc as it IS user input. > > > > > > This CAN be a vulnerability with individual scripts, however, it is not a > > > vuln with PHP or Apache. > > > > > > On Monday 23 April 2007 17:31, Michal Majchrowicz wrote: > > > > There exist a flaw in a way how Apache and php combination handle the > > > > $_SERVER array. > > > > If the programmer writes scrip like this: > > > > <?php > > > > echo $_SERVER['REQUEST_METHOD']; > > > > ?> > > > > He will assume that REQUEST_METHOD can only by: GET,POST,OPTIONS,TRACE > > > > and all that stuff. However this is not true, since Apache accepts > > > > requests that look like this: > > > > GET<script>alert(document.coookie);</script> /test.php HTTP/1.0 > > > > And the output for this would be: > > > > GET<script>alert(document.coookie);</script> > > > > Of course it is hard to exploit (I think some Flash might help ;)) and > > > > I don't know if it is exploitable at all. But programmers should be > > > > warned about this behaviour. You can't trust any variable in the > > > > $_SERVER table! > > > > Regards Michal Majchrowicz. > > > > > > > > _______________________________________________ > > > > Full-Disclosure - We believe in it. > > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > _______________________________________________ > > > Full-Disclosure - We believe in it. > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists