1

PHP's magic constants allow you access information such as the current PHP file being executed, the name of the current function, etc.

While this data is not user input directly, it can definitely be influenced by user input (eg: by visiting a specific path to influence __dir__ and __file__, etc), however in most cases, it is not possible for remote user input to accurately influence these variables.

For example, if you were to visit example.com/<script>window.alert("XSS");</script>, this would not result in the __file__ variable on that server containing malicious JavaScript. Instead, it would contain the path of your 404 ErrorDocument (assuming that XSS example wasn't an actual path on your server).

What other ways are there that malicious data could get into these variables?

Are there any other security considerations that I have missed related to PHP magic constants?

For context, this is about an Apache server serving static PHP pages, there is no additional user input on the site (eg: forms, file uploads, cookies, etc).

jamieweb
  • 123
  • 4
  • Not one affected by user input, but `__FILE__`/`__DIR__` resolve symlinks so may reveal information about the server file system. – cmbuckley Mar 30 '18 at 23:21
  • 1
    So these are completely different to something such as `$_SERVER['PHP_SELF']`, which is easily influenced by user input? – jamieweb Mar 31 '18 at 12:28
  • No, it’s more like `$_SERVER['SCRIPT_FILENAME']` in that respect. – cmbuckley Mar 31 '18 at 13:30
  • So you're saying that `$_SERVER['SCRIPT_FILENAME']` can be easily affected by user input? – jamieweb Mar 31 '18 at 13:41
  • No, I’m saying that `__FILE__`, like `$_SERVER['SCRIPT_FILENAME']`, are not — but they do resolve the absolute path to the file, which may reveal information about the sever’s folder structure. – cmbuckley Apr 01 '18 at 20:19
  • Ah I understand what you mean now, thanks for the clarification. What about `getcwd()`? As far as I can tell, that cannot be influenced by user input. – jamieweb Apr 01 '18 at 21:07

1 Answers1

-3

There's no security risks. Those constants pull from server data (i.e. your PHP file path). Those cannot be controlled by an end user.

Machavity
  • 30,841
  • 27
  • 92
  • 100