Nmap Developmentmailing list archives
Re: http-phpself-xss
From: Paulino Calderon <paulino () calderonpale com>
Date: Mon, 30 May 2011 12:55:58 -0700
Correct. Lots of developers use $_SERVER["PHP_SELF"] to retrieve thescript's name without escaping it first not knowing that attackers cantamper this variable.Other examples are:*http://www.mc2design.com/blog/php_self-safe-alternatives*http://www.securityfocus.com/bid/37351*http://software-security.sans.org/blog/2011/05/02/spot-vuln-percentageI'll submit a new script to scan for more generic cross site scriptingvulnerabilities after I make sure the crawling / parsing of all themalformed documents out there works correctly ;)Cheers.On 05/30/2011 07:54 AM, Abuse007 wrote:> If I'm not mistaken the script is not trying to exploit the phpparameters, such as data in your second example, but rather the PHP_SELFvariable which is set the the relative URL of the currently executingscript - including what comes after the php file.
>> From the doco: ->> The filename of the currently executing script,relative to thedocument root. For instance,$_SERVER['PHP_SELF'] in a script at theaddresshttp://example.com/test.php/foo.bar would be /test.php/foo.bar.
>>>> See: ->http://spotthevuln.com/2009/10/privilege-escalation-one-damn-thing/>> Cheers>>>> On 30/05/2011, at 11:07 PM, "Hans Nilsson"<hasse_gg () ftml net> wrote:>>>> What about when only certain variables are vulnerable?>>>> For example>> example.com/test.php?<script>alert(1)</script>>> may not work when>> example.com/test.php?data=<script>alert(1)</script>>> works.>>>> Or what about if only POST-data is vulnerable?>>>> /Hans>>>>>> On Sun, 29 May 2011 03:04 -0700, "Paulino Calderon">> <paulino () calderonpale com> wrote:>>>>> Hi everyone,>>>>>> I'm attaching my script 'http-phpself-xss', this script detects php>>> files vulnerable to Phpself Cross Site Scripting(*) in a web server.>>>>>> First, the script crawls the webserver to list all php files andthen it
>>> sends an attack probe to identify all vulnerable scripts.>>>>>> Feel free to test this script against my dummy app ->>>>http://calder0n.com/sillyapp/>>>>>> (*) Phpself Cross Site Scripting vulnerabilities refers to cross site>>> scripting vulnerabilities caused by the lack of sanitation of the>>> variable $_SERVER["PHP_SELF"] in PHP scripts/web applications.>>>>>> Cheers.>>>>>> -->>> Paulino Calderón Pale>>> Web:http://calderonpale.com>>> Twitter: @paulinocaIderon>>>>>>>>> _______________________________________________>>> Sent through the nmap-dev mailing list>>>http://cgi.insecure.org/mailman/listinfo/nmap-dev>>> Archived athttp://seclists.org/nmap-dev/>>> Email had 1 attachment:>>> + http-phpself-xss.nse>>> 12k (text/plain)>>>>> -->> Hans Nilsson>> hasse_gg () ftml net>>>> -->>http://www.fastmail.fm - A no graphics, no pop-ups email service>>>> _______________________________________________>> Sent through the nmap-dev mailing list>>http://cgi.insecure.org/mailman/listinfo/nmap-dev>> Archived athttp://seclists.org/nmap-dev/>>> _______________________________________________> Sent through the nmap-dev mailing list>http://cgi.insecure.org/mailman/listinfo/nmap-dev> Archived athttp://seclists.org/nmap-dev/--Paulino Calderón PaleWeb:http://calderonpale.comTwitter: @paulinocaIderon_______________________________________________Sent through the nmap-dev mailing listhttp://cgi.insecure.org/mailman/listinfo/nmap-devArchived athttp://seclists.org/nmap-dev/
Current thread:
- http-phpself-xssPaulino Calderon (May 29)
- Re: http-phpself-xssHans Nilsson (May 30)
- Re: http-phpself-xssAbuse007 (May 30)
- <Possible follow-ups>
- Re: http-phpself-xssPaulino Calderon (May 30)
- Re: http-phpself-xssHans Nilsson (May 30)