Michael A. Peters wrote: > Dotan Cohen wrote: >>> http://www.gfx-depot.com/forum/-php-server-php-self-validation-t-1636.html >>> >>> >>> explains a technique to validate the input as well (don't trust that is >>> clean) >>> >> >> I do not understand the exploit. How is he spoofing any $_SERVER >> variables? The attack description doesn't make sense. >> > > Did you actually try his example? > Some browsers may have some client side protection and not execute it. I > believe suhosin protects against it server side. > NoScript would block it, even if you had scripts enabled globally. > > <html> > <head><title>foo</title></head> > > <body> > <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"> > <input type="submit" value="submit" /> > </form> > </body> > > </html> > > Put that on a server w/o suhosin, turn off NoScript, and try it. > If it doesn't work with current firefox - try with an older version of IE. Works for me with Firefox 3.0.6, Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.5 with Suhosin-Patch 0.9.6.2. -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
