0

Looking at an old code of a client, he's using

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" />

I was wondering if it was subject to XSS, but when I try :

  • form.php"><script>alert('xss');</script> => 404 NOT FOUND from Apache
  • form.php/"><script>alert('xss');</script> => 404 From my app

I must specify that I also use ?action=specific_page in the url for its normal use.

Does that mean no XSS is possible using PHP_SELF or does that mean I'm trying it the wrong way?

Charles
  • 50,943
  • 13
  • 104
  • 142
Cyril N.
  • 38,875
  • 36
  • 142
  • 243
  • Please show us all code or ask what exactly do you want to figure out. Now it's hard to understand what is your problem and why are you talking about 'PHP_SELF' here. – Bogdan Burym Nov 06 '12 at 09:25
  • The code has been badly interpreted. Sorry. It has been updated to show the correct html/php part. – Cyril N. Nov 06 '12 at 09:26
  • If you need to post form to same url where it is displayed you may skip `action`. Just remove `action` attribute. – Bogdan Burym Nov 06 '12 at 09:28
  • 1
    browsers like chrome have an XSS protection and can detect things like that, you might want to try another browser – MarcDefiant Nov 06 '12 at 09:35
  • @bogdan-burim : I'm aware of the risk, I just want to test if it would work or not. You better understand a security threat when you succeed in exploiting it once. And it's better if I do it locally ;) – Cyril N. Nov 06 '12 at 09:39
  • @mogria : Good idea! I wasnt aware of that security from Chrome (and good guess, I'm using Chrome). But I tried with Firefox, and I didn't had any luck too. – Cyril N. Nov 06 '12 at 09:40
  • re-reading the question the problem doesn't seem to be the XXS protection. I think your routing in your application simply doesn't accept the value `form.php/">` and therefore shows a 404 page. So your application isn't really secure you're just "lucky". – MarcDefiant Nov 06 '12 at 09:54
  • @Mogria yes, that's what I was thinking too. That also means that maybe at some place, this would work. No matter what, I have to update the code ;) – Cyril N. Nov 06 '12 at 10:50

1 Answers1

4

If your form is at form.php script, try accessing it with an url in the browser like http://yoursite.com/form.php/"><script>alert('XSS')</script> to see if it is vulnerable to injection.

If it doesn't do anything, your configuration prevents this, at least for this specific file.

(Of course, you should use something like htmlspecialchars($_SERVER['SCRIPT_NAME']) anyway.)

eis
  • 51,991
  • 13
  • 150
  • 199
  • @Rook the thing needs PATH_INFO enabled, it can be disabled also. It is controlled by AcceptPathInfo in Apache. See for example [this](http://books.google.fi/books?id=DjgKJL0q1i0C&pg=PA179&lpg=PA179&dq=acceptpathinfo+php_Self&source=bl&ots=2vOBnEA1Me&sig=MJpTNGoyZ5ivWocQobdqmtJoGCg&hl=en&sa=X&ei=Bg2aUMC5DOz54QS5-YGIDw&ved=0CFUQ6AEwBg#v=onepage&q=acceptpathinfo%20php_Self&f=false), [this](http://stackoverflow.com/questions/8706817/check-in-php-if-path-info-is-enabled-on-your-server) and [this](http://security.stackexchange.com/questions/12899/what-attacks-use-enabled-apaches-path-info) thread. – eis Nov 07 '12 at 07:25
  • lol that last link is my post. $_SERVER['PATH_INFO'] is not a configuration option, it is an attacker controlled variable. – rook Nov 07 '12 at 07:45
  • @Rook :) So you don't agree that [AcceptPathInfo](http://httpd.apache.org/docs/2.2/mod/core.html#acceptpathinfo) is configuration option? – eis Nov 07 '12 at 08:03