Re: which server variables from this list can be spoofed?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jan 20, 2012 at 10:07 AM, Haluk Karamete
<halukkaramete@xxxxxxxxx> wrote:
> I marked those I already know as "can",
>
> $_SERVER['REMOTE_ADDR']  CAN
> $_SERVER['HTTP_REFERER']  CAN
> $_SERVER['HTTP_USER_AGENT']  CAN
> $_SERVER['REQUEST_URI']   CAN ( cause it contains the query string
> part and user/hacker can easily change that )
>
> Those I'm not too sure are as follows;
>
> $_SERVER['SERVER_NAME']
> $_SERVER['DOCUMENT_ROOT']
> $_SERVER['SCRIPT_NAME']
> $_SERVER['PHP_SELF']

All of 'em.  However, SERVER_NAME, DOCUMENT_ROOT, and SCRIPT_NAME come
from the server, so it would have to be whoever controls the server
doing the spoofing.

PHP_SELF could probably be faked in the code if done creatively.
Naturally, no one would try to do this intentionally, but I wonder if
something mischievous could be done with this if code was included
from an external source.

--
Ghodmode
http://www.ghodmode.com/blog

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux