The danger of PHP_SELF

The $_SERVER[‘PHP_SELF’] or old syntax $PHP_SELF superglobal gives you the filename of the currently executing script, relative to the document root.
Often used in forms or in links.

<form action=”<? echo $_SERVER[‘PHP_SELF’]; ?>” method=”POST”>

Here you see a normal login form with the form container above.

login form

It’s possible to break the form with login.php/”<h1>XSS</h1> in the URL.

login form xss

As you can see the HTML code in the URL is included in the website. Sure it’s possible to include every piece of HTML, CSS and JavaScript.

This method is called Cross Site Scripting (XSS) and is often used for phishing.

Every PHP_SELF should be converted to HTML entities, with a function like htmlentities.

<form action=”<? echo htmlentities($_SERVER[‘PHP_SELF’], ENT_QUOTES); ?>” method=”POST”>
About these ads

1 comment so far

  1. […] sich selbst mittels $_SERVER['PHP_SELF']; (ich hatte hier immer dieses böse Sicherheitsloch zu PHP_SELF im Beitrag und nie sagte jemand etwas), indem man einfach wieder die selbe Datei aufruft, sollte […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: