Nmap Development mailing list archives
Re: http-phpself-xss
From: Paulino Calderon <paulino () calderonpale com>
Date: Mon, 30 May 2011 12:55:58 -0700
Correct. Lots of developers use $_SERVER["PHP_SELF"] to retrieve the script's name without escaping it first not knowing that attackers can tamper this variable. Other examples are: *http://www.mc2design.com/blog/php_self-safe-alternatives *http://www.securityfocus.com/bid/37351 *http://software-security.sans.org/blog/2011/05/02/spot-vuln-percentage I'll submit a new script to scan for more generic cross site scripting vulnerabilities after I make sure the crawling / parsing of all the malformed documents out there works correctly ;) Cheers. On 05/30/2011 07:54 AM, Abuse007 wrote:> If I'm not mistaken the script is not trying to exploit the php parameters, such as data in your second example, but rather the PHP_SELF variable which is set the the relative URL of the currently executing script - including what comes after the php file.
> > From the doco: - >> The filename of the currently executing script,relative to the document root. For instance,$_SERVER['PHP_SELF'] in a script at the addresshttp://example.com/test.php/foo.bar would be /test.php/foo.bar.
> > > > See: - > http://spotthevuln.com/2009/10/privilege-escalation-one-damn-thing/ > > Cheers > > > > On 30/05/2011, at 11:07 PM, "Hans Nilsson"<hasse_gg () ftml net> wrote: > > >> What about when only certain variables are vulnerable? >> >> For example >> example.com/test.php?<script>alert(1)</script> >> may not work when >> example.com/test.php?data=<script>alert(1)</script> >> works. >> >> Or what about if only POST-data is vulnerable? >> >> /Hans >> >> >> On Sun, 29 May 2011 03:04 -0700, "Paulino Calderon" >> <paulino () calderonpale com> wrote: >> >>> Hi everyone, >>> >>> I'm attaching my script 'http-phpself-xss', this script detects php >>> files vulnerable to Phpself Cross Site Scripting(*) in a web server. >>>>>> First, the script crawls the webserver to list all php files and then it
>>> sends an attack probe to identify all vulnerable scripts. >>> >>> Feel free to test this script against my dummy app -> >>> http://calder0n.com/sillyapp/ >>> >>> (*) Phpself Cross Site Scripting vulnerabilities refers to cross site >>> scripting vulnerabilities caused by the lack of sanitation of the >>> variable $_SERVER["PHP_SELF"] in PHP scripts/web applications. >>> >>> Cheers. >>> >>> -- >>> Paulino Calderón Pale >>> Web: http://calderonpale.com >>> Twitter: @paulinocaIderon >>> >>> >>> _______________________________________________ >>> Sent through the nmap-dev mailing list >>> http://cgi.insecure.org/mailman/listinfo/nmap-dev >>> Archived at http://seclists.org/nmap-dev/ >>> Email had 1 attachment: >>> + http-phpself-xss.nse >>> 12k (text/plain) >>> >> -- >> Hans Nilsson >> hasse_gg () ftml net >> >> -- >> http://www.fastmail.fm - A no graphics, no pop-ups email service >> >> _______________________________________________ >> Sent through the nmap-dev mailing list >> http://cgi.insecure.org/mailman/listinfo/nmap-dev >> Archived at http://seclists.org/nmap-dev/ >> > _______________________________________________ > Sent through the nmap-dev mailing list > http://cgi.insecure.org/mailman/listinfo/nmap-dev > Archived at http://seclists.org/nmap-dev/ -- Paulino Calderón Pale Web: http://calderonpale.com Twitter: @paulinocaIderon _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- http-phpself-xss Paulino Calderon (May 29)
- Re: http-phpself-xss Hans Nilsson (May 30)
- Re: http-phpself-xss Abuse007 (May 30)
- <Possible follow-ups>
- Re: http-phpself-xss Paulino Calderon (May 30)
- Re: http-phpself-xss Hans Nilsson (May 30)