[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] PHP and SCRIPT_NAME variable
- To: vuln-dev@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] PHP and SCRIPT_NAME variable
- From: Roman Medina-Heigl Hernandez <roman@xxxxxxxxxxx>
- Date: Mon, 20 Feb 2006 16:06:23 +0100
Hello,
Last week I was thinking about the possibility for an external attacker to
influence over the following PHP variable:
$_SERVER['SCRIPT_NAME']
The former variable contains the remote path (URI) to a PHP script, so if
for instance you access with a browser to:
http://<site>/aa/bb/cc/script.php
Then SCRIPT_NAME will contain "/aa/bb/cc/script.php"
I did some basic tests with PHP 4.3.10 and the implementation seems to be safe:
- For instance, if you access something like:
http://<site>/aa/bb/../dd/cc/script.php
Then SCRIPT_NAME will be "/aa/dd/cc/script.php"
instead of "/aa/bb/../dd/cc/script.php"
- If you try:
http://<site>/aa/bb/cc/script.php/something
or
http://<site>/aa/bb/cc/script.php?something
Then SCRIPT_NAME will contain "/aa/bb/cc/script.php"
My goal is to be able to add some attacker-specified string to the
variable. Two questions:
1) Do you know of any trick/method by which an attacker could alter
SCRIPT_NAME variable? (obviusly without having access to docroot directory
and/or edit httpd.conf)
2) Perhaps older PHP versions didn't sanitize SCRIPT_NAME variable
correctly and could be abused? Any idea?
TIA.
Cheers,
-Román
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/