Dotan Cohen wrote:
http://www.gfx-depot.com/forum/-php-server-php-self-validation-t-1636.html
explains a technique to validate the input as well (don't trust that is
clean)
I do not understand the exploit. How is he spoofing any $_SERVER
variables? The attack description doesn't make sense.
Did you actually try his example?
Some browsers may have some client side protection and not execute it. I
believe suhosin protects against it server side.
NoScript would block it, even if you had scripts enabled globally.
<html>
<head><title>foo</title></head>
<body>
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<input type="submit" value="submit" />
</form>
</body>
</html>
Put that on a server w/o suhosin, turn off NoScript, and try it.
If it doesn't work with current firefox - try with an older version of IE.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
