Dotan Cohen wrote: >> http://www.gfx-depot.com/forum/-php-server-php-self-validation-t-1636.html >> >> explains a technique to validate the input as well (don't trust that is >> clean) >> > > I do not understand the exploit. How is he spoofing any $_SERVER > variables? The attack description doesn't make sense. > Well, when you visit that page, $_SERVER['PHP_SELF'] is set to the value of his URL: form.php/%22%3E%3Cscript%3Ealert(’XSS attack!’)%3C/script%3E%3Cbr The page then echos out $_SERVER['PHP_SELF'] which when those urlencoded characters are decoded, they become the script action that you see. test it for yourself. Note, if you copy paste the code, then the delimiters around XSS attack! are actually apostrophes so it doesn't work, but if you change them to single quotes it works as advertised, except there is a wayward " in the <br> as <br">. This doesn't keep the script from executing though. I prefer valid markup in my exploits, so I use: form.php/%22%3E%3Cscript%3Ealert('XSS attack!')%3C/script%3E%3Chr class=%22nothing -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
