Nmap Development mailing list archives
Re: http-phpself-xss
From: Paulino Calderon <paulino () calderonpale com>
Date: Thu, 05 Jul 2012 00:45:53 -0500
Hi list,I've updated the script http-phpself-xss. Has anyone had a chance to test it? What do you think about the name? Is it implicit enough? Maybe http-phpself-xss-scan would be better. Anyway, I think this script is ready to be commited but I'd love to hear your thoughts before doing that.
Cheers. On 30/05/2011 02:20 p.m., Paulino Calderon wrote:
Correct. Lots of developers use $_SERVER["PHP_SELF"] to retrieve the script's name without escaping it first not knowing that attackers can tamper this variable.Other examples are: *http://www.mc2design.com/blog/php_self-safe-alternatives *http://www.securityfocus.com/bid/37351 *http://software-security.sans.org/blog/2011/05/02/spot-vuln-percentageI'll submit a new script to scan for more generic cross site scripting vulnerabilities after I make sure the crawling / parsing of all the malformed documents out there works correctly ;)Cheers. On 05/30/2011 07:54 AM, Abuse007 wrote:If I'm not mistaken the script is not trying to exploit the php parameters, such as data in your second example, but rather the PHP_SELF variable which is set the the relative URL of the currently executing script - including what comes after the php file.From the doco: -The filename of the currently executing script,relative to the document root. For instance,$_SERVER['PHP_SELF'] in a script at the addresshttp://example.com/test.php/foo.bar would be /test.php/foo.bar.See: - http://spotthevuln.com/2009/10/privilege-escalation-one-damn-thing/ Cheers On 30/05/2011, at 11:07 PM, "Hans Nilsson"<hasse_gg () ftml net> wrote:What about when only certain variables are vulnerable? For example example.com/test.php?<script>alert(1)</script> may not work when example.com/test.php?data=<script>alert(1)</script> works. Or what about if only POST-data is vulnerable? /Hans On Sun, 29 May 2011 03:04 -0700, "Paulino Calderon" <paulino () calderonpale com> wrote:Hi everyone, I'm attaching my script 'http-phpself-xss', this script detects php files vulnerable to Phpself Cross Site Scripting(*) in a web server.First, the script crawls the webserver to list all php files and then itsends an attack probe to identify all vulnerable scripts. Feel free to test this script against my dummy app -> http://calder0n.com/sillyapp/ (*) Phpself Cross Site Scripting vulnerabilities refers to cross site scripting vulnerabilities caused by the lack of sanitation of the variable $_SERVER["PHP_SELF"] in PHP scripts/web applications. Cheers. -- Paulino Calderón Pale Web: http://calderonpale.com Twitter: @paulinocaIderon _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/ Email had 1 attachment: + http-phpself-xss.nse 12k (text/plain)-- Hans Nilsson hasse_gg () ftml net -- http://www.fastmail.fm - A no graphics, no pop-ups email service _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
-- Paulino Calderón Pale Website: http://calderonpale.com Twitter: http://twitter.com/calderpwn
Attachment:
http-phpself-xss.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: http-phpself-xss Paulino Calderon (Jul 04)
- Re: http-phpself-xss stripes (Jul 04)
- Re: http-phpself-xss Paulino Calderon (Jul 05)
- Re: http-phpself-xss stripes (Jul 05)
- Re: http-phpself-xss Paulino Calderon (Jul 05)
- Re: http-phpself-xss stripes (Jul 04)