Page 1 of 2 12 Last
  • Jump to page:
    #1
  1. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,650
    Rep Power
    171

    Security issue with <form action="<?php echo $_SERVER['PHP_SELF'];?>" />


    Hi

    Can someone please what could be the security issue with
    Code:
    <form action="<?php echo $_SERVER['PHP_SELF'];?>" />
    Thanks
  2. #2
  3. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    13,965
    Rep Power
    9397
    PHP_SELF contains the URL being used to access the page without any URL encoding. Blah blah blah
    Code:
    /path/to/script.php?"><script>alert("XSS")</script>
    Code:
    <form action="/path/to/script.php?"><script>alert("XSS")</script>" />
    PHP Code:
    ?><form action="<?php echo escaping_function_here($_SERVER['PHP_SELF']);?>" />
    Code:
    <form action="/path/to/script.php?&amp;quot;&amp;gt;&amp;lt;script&amp;gt;alert(&amp;quot;XSS&amp;quot;)&amp;lt;/script&amp;gt;" />
    Or better yet, don't use PHP_SELF.
    Last edited by requinix; July 19th, 2013 at 12:04 AM.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    189
    Rep Power
    0
    I don't get what you are trying to say here.

    I do this all the time;

    PHP Code:
    $action $_SERVER['PHP_SELF']; 
    then later on in my html I use:

    <form name='myform' method='POST' action="$action">


    What is wrong with that? You say the url isn't encoded(?)? Why is that a problem?
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Never insert raw user input into your HTML document.

    If you do, your website is vulnerable to cross-site scripting attacks: People can inject malicious JavaScript code into your site and use it to steal cookies from your visitors or manipulate the site in any way they want.

    For testing, create a new PHP file:

    xss.php
    PHP Code:
    <?php

    $action 
    $_SERVER['PHP_SELF'];

    echo 
    "<form name='myform' method='post' action='$action'>";
    And then call it like this:
    Code:
    http://localhost/xss.php/%27%3E%3Cscript%3Ealert%28%22I%20just%20injected%20JavaScript%20code.%22%29;%3C/script%3E
    Do you see an alert window? Congratulations, you've just fallen victim to a cross-site scripting attack.

    If you use this PHP_SELF "technique" on a live site, you must fix this vulnerabilty right now! You've obviously been lucky so far, but that doesn't mean your luck will last forever. If anybody with bad intentions finds your website, you'll be in deep trouble.
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    189
    Rep Power
    0
    Don't understand "call it like this". Call what?

    Upon further review....
    my browser prevents any xss from happening, so I can't test what you are saying.

    I suppose the issue here is that a user can append something to the address at the top of MY page and cause something to happen. What would that be? I don't see the risk of modifying the uri/url. YES - I do understand the problems with accepting input that my script is going to process and do take precautions. But this xss thing I don't see.
  10. #6
  11. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Originally Posted by jimmyg999
    my browser prevents any xss from happening, so I can't test what you are saying.
    Use another browser like Firefox.



    Originally Posted by jimmyg999
    I suppose the issue here is that a user can append something to the address at the top of MY page and cause something to happen. What would that be?
    They can inject anything into your page. Anything I enter into the URL ends up right on your page, because you take the whole URL and simply insert it into your HTML document.

    I could inject JavaScript code into your page and steal the session cookes from your users. I could create a new form and ask your visitors to enter their password. And when they do, the password will get sent to my own server. I could point all links on your website to some malicious file. So when your visitors click on any link, they'll download a virus or something. The possibilities are endless, and attackers can be very creative.

    Again: Cross-site scripting means that I can manipulate your page in any way I want, and your users won't even notice it.
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  12. #7
  13. No Profile Picture
    Dazed&Confused
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2002
    Location
    Tempe, AZ
    Posts
    506
    Rep Power
    128
    Originally Posted by jimmyg999
    I don't get what you are trying to say here.

    I do this all the time;

    PHP Code:
    $action $_SERVER['PHP_SELF']; 
    then later on in my html I use:

    <form name='myform' method='POST' action="$action">
    Meh, a bit redundant to point the page back to itself in the action. Browsers will act the same if you omit the action tag altogether.

    But if you really want the action tag you should at least validate that the action that's passed is a legitimate one. After all, one would assume you plan to do something with the form that would be dependent upon what action it is.
    LinkedIn: Dave Mittner
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    189
    Rep Power
    0
    I'm sure it is a problem, but I don't see how it affects me.

    My use of php_self gives me the page name so that my script (form) can call itself upon submit. As this little exercise just proved to me, all that my variable contains is the name of my own script - not the domain name. So how does a hacker put his domain name into the address bar and have my code involved? If the address is altered to append args to my page name (GETs) so what? I'm not doing anything with them and they will perhaps get sent back to MY page when I finish processing. I still don't see the problem.

    And why should I use FF - because it doesn't prevent this from happening? Don't see that either.
  16. #9
  17. No Profile Picture
    Dazed&Confused
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2002
    Location
    Tempe, AZ
    Posts
    506
    Rep Power
    128
    Originally Posted by Jacques1
    If you do, your website is vulnerable to cross-site scripting attacks: People can inject malicious JavaScript code into your site and use it to steal cookies from your visitors or manipulate the site in any way they want.
    Actually, though, what damage could be caused in this case? Obviously I agree that if data is ever submitted by a user that might show up on another user's screen, then there's the potential to cause damage with XSS and you need to safeguard against it.

    But in this case the most the would-be hacker could do is affect their own screen. That's a minimal threat given they could accomplish the same result by other means, up to and including using a custom browser that changes the received HTML before rendering it.
    LinkedIn: Dave Mittner
  18. #10
  19. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    The thing about URLs is that they can be shared. If I find an interesting page, I can send the URL to my friends, and they'll see the exact same page.

    And if I set up a URL containing malicious JavaScript code, I can also share it, and anybody visiting this URL will inadvertently execute the code.

    I'm not interested in executing the code myself. I'm interested in having somebody else execute it. Because if they do, I can control their browser. I can read their cookies, change the website, redirect the browser, whatever. All the victim needs to do is click on a link.

    Of course it's even better if I can persistently store the malicious code on your site. Then I don't even need to distribute the code, because you do that already. But it doesn't really make a difference. Either way, your users are screwed.

    If you think that people will notice the strange URL and not click on it: I doubt that. Most people have no clue what JavaScript is and what it does. Plus I can easily obfuscate the link by URL by encoding it. Plus I can use a short link service.
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  20. #11
  21. Why so angry?
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Jan 2004
    Posts
    1,945
    Rep Power
    898
    Originally Posted by dmittner
    Actually, though, what damage could be caused in this case? Obviously I agree that if data is ever submitted by a user that might show up on another user's screen, then there's the potential to cause damage with XSS and you need to safeguard against it.

    But in this case the most the would-be hacker could do is affect their own screen. That's a minimal threat given they could accomplish the same result by other means, up to and including using a custom browser that changes the received HTML before rendering it.
    To: dmittner@devshed.com
    Subject: Please confirm your Example.com login details
    Body: Due to a recent security breach, we are asking all members to confirm their accounts. Please click here {http://www.example.com/form.php/"><script>cookiemonster()</script>} to confirm your account details. Always make sure that the URL in your browser bar begins with http://www.example.com!

    Now as the intelligent chap you are, Mr. dmittner, I believe you'd see right through this phishy e-mail. However, that cannot be expected of all of the glorious constituents of Example.com.
    Verify and sanitize ALL USER DATA.

    And, to steal a quote from jeremy, "Explain your problem instead of asking how to do what you decided was the solution." Chances are someone on the forums will know a better or more efficient way to do what you're trying to accomplish.

    Avatar: Stolen by me, shown to me by patrick.

  22. #12
  23. No Profile Picture
    Dazed&Confused
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2002
    Location
    Tempe, AZ
    Posts
    506
    Rep Power
    128
    Oh derp. Right.
    It's Friday. My brain's at about 5% capacity...
    LinkedIn: Dave Mittner
  24. #13
  25. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    13,965
    Rep Power
    9397
    Originally Posted by Jacques1
    Originally Posted by jimmyg999
    my browser prevents any xss from happening, so I can't test what you are saying.
    Use another browser like Firefox.
    Right. Chrome will automatically prevent Javascript from executing if it sees it was present in the original request. Makes it harder to test for XSS, but you can disable the feature by launching it with the --disable-web-security command-line option.
  26. #14
  27. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    189
    Rep Power
    0
    BUT - your example has nothing to do with the topic which was about using $_SERVER['PHP_SELF'] in a form's action attribute. Does it?
  28. #15
  29. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Gosh, is this really so hard to understand? You already got an XSS warning from your browser. What else do you want?

    Your beloved PHP_SELF contains the path from the URL. This path is under the user's control and can be filled with arbitrary data (after the actual path to the script, of course).

    As an example:

    Code:
    http://jimmy.com/index.php/i_am_so_arbitrary$%&§
    Within the script /index.php, your PHP_SELF contains the full URL path including the arbitrary data:

    PHP Code:
    "/index.php/i_am_so_arbitrary$%&§" 
    If you insert the raw PHP_SELF into your document, then the arbitrary data will become a part of your page, allowing anybody to inject malicious JavaScript code or HTML. And that's obviously a problem.

    So that's the procedure:
    1. I make up some malicious JavaScript code.
    2. I pass it to the URL.
    3. You insert the raw URL including my code into your document.
    4. My code takes action, stealing the cookies from your users or whatever.

    Got it? If not, there are plenty of resources on cross-site scripting. Just google from them.
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
Page 1 of 2 12 Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo