Nmap Development mailing list archives

Re: http-phpself-xss

From: Paulino Calderon <paulino () calderonpale com>
Date: Thu, 05 Jul 2012 00:45:53 -0500

Hi list,

I've updated the script http-phpself-xss. Has anyone had a chance totest it? What do you think about the name? Is it implicit enough? Maybehttp-phpself-xss-scan would be better. Anyway, I think this script isready to be commited but I'd love to hear your thoughts before doing that.


Cheers.


On 30/05/2011 02:20 p.m., Paulino Calderon wrote:

Correct. Lots of developers use $_SERVER["PHP_SELF"] to retrieve thescript's name without escaping it first not knowing that attackers cantamper this variable.


Other examples are:
*http://www.mc2design.com/blog/php_self-safe-alternatives
*http://www.securityfocus.com/bid/37351
*http://software-security.sans.org/blog/2011/05/02/spot-vuln-percentage

I'll submit a new script to scan for more generic cross site scriptingvulnerabilities after I make sure the crawling / parsing of all themalformed documents out there works correctly ;)


Cheers.

On 05/30/2011 07:54 AM, Abuse007 wrote:

If I'm not mistaken the script is not trying to exploit the phpparameters, such as data in your second example, but rather thePHP_SELF variable which is set the the relative URL of the currentlyexecuting script - including what comes after the php file.


 From the doco: -

The filename of the currently executing script,relative to thedocument root. For instance,$_SERVER['PHP_SELF'] in a script at theaddresshttp://example.com/test.php/foo.bar would be /test.php/foo.bar.




See: -
http://spotthevuln.com/2009/10/privilege-escalation-one-damn-thing/

Cheers



On 30/05/2011, at 11:07 PM, "Hans Nilsson"<hasse_gg () ftml net>  wrote:

What about when only certain variables are vulnerable?

For example
example.com/test.php?<script>alert(1)</script>
may not work when
example.com/test.php?data=<script>alert(1)</script>
works.

Or what about if only POST-data is vulnerable?

/Hans


On Sun, 29 May 2011 03:04 -0700, "Paulino Calderon"
<paulino () calderonpale com>  wrote:

Hi everyone,

I'm attaching my script 'http-phpself-xss', this script detects php
files vulnerable to Phpself Cross Site Scripting(*) in a web server.

First, the script crawls the webserver to list all php files andthen it

sends an attack probe to identify all vulnerable scripts.

Feel free to test this script against my dummy app ->
http://calder0n.com/sillyapp/

(*) Phpself Cross Site Scripting vulnerabilities refers to cross site
scripting vulnerabilities caused by the lack of sanitation of the
variable $_SERVER["PHP_SELF"] in PHP scripts/web applications.

Cheers.

--
Paulino Calderón Pale
Web: http://calderonpale.com
Twitter: @paulinocaIderon


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Email had 1 attachment:
+ http-phpself-xss.nse
  12k (text/plain)

--
  Hans Nilsson
  hasse_gg () ftml net

--
http://www.fastmail.fm - A no graphics, no pop-ups email service

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



--
Paulino Calderón Pale
Website: http://calderonpale.com
Twitter: http://twitter.com/calderpwn

Attachment: http-phpself-xss.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: http-phpself-xss Paulino Calderon (Jul 04)
- Re: http-phpself-xss stripes (Jul 04)
  - Re: http-phpself-xss Paulino Calderon (Jul 05)
    - Re: http-phpself-xss stripes (Jul 05)