News Feed
Jobs Feed
Sections




News Archive
Gareth Heyes' Blog:
Exploiting PHP SELF
by Chris Cornutt January 14, 2008 @ 07:54:00

Gareth Heyes has a new post today talking about one of the vulnerable values in the $_SERVER superglobal - PHP_SELF.

I thought it might be a good idea to gather a few test cases demonstrating the problem. Why PHP allows these URL's is beyond me and it wouldn't take much work to filter out these malicious URL's in the PHP code.

He provides four test cases to show how simple it is to abuse - one using a HTTP header, another pushing XSS through, the third mentions search pages and the fourth a direct code injection.

You can download the code here.

0 comments voice your opinion now!
exploit phpself superglobal inject testcase security exploit phpself superglobal inject testcase security


blog comments powered by Disqus

Similar Posts

Matthew Weier O'Phinney's Blog: Testing Zend Framework MVC Applications

Pádraic Brady: Getting Ahead In Security By Watching The Neighbours

Developer Tutorials Blog: And the winner of the most important security tip competition is...

Chris Shiflett's Blog: PHP Security by Example

International PHP Magazine: Poll Question: In Which of the Following PHP Security Suffers?


 Community Events











Don't see your event here?
Let us know!

introduction framework phpunit zendframework2 rest testing podcast release conference series example community language functional usergroup development interview database opinion symfony2

All content copyright, 2013 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework