News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Gareth Heyes' Blog:
PHP self return of the slash
September 25, 2009 @ 10:31:24

In this new post to his blog Gareth Heyes points out a legacy issue that those running older PHP4-based code might want to look into:

I thought about something I found ages ago in PHP4 and it's been long enough now. This is also quite funny because my server is vulnerable to this. So what happens if you escape PHP_SELF with htmlentities($_SERVER['PHP_SELF'], ENT_QUOTES)? Safe from XSS? I hope so. Safe from everything? Well not really or at least it didn't used to be.

He gives a simple example of how the PHP_SELF issue can be used to change the form's target just by using a few well-placed slashes. Thankfully, this seems to be only back in the world of PHP4, so those working with PHP5 should be safe.

0 comments voice your opinion now!
phpself xss vulnerability slash


blog comments powered by Disqus

Similar Posts

DeveloperDrive.com: What Web Developers Need to Know About Cross-Site Scripting

Secunis.com: Travelsized CMS index.php Cross-Site Scripting Vulnerabilities

Secunia.com: WordPress Issues - Two Plugins (wp-Table & wordTube) and a Debian Update

Gareth Heyes' Blog: htmlentities is badly designed

Stefan Esser's Blog: Suhosin 0.9.21 - XSS Protection


Community Events





Don't see your event here?
Let us know!


symfony community framework api conference language laravel developer tips development release zendserver code threedevsandamaybe deployment podcast list introduction interview series

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework