Vulnerability Development mailing list archives

Re: PHP and SCRIPT_NAME variable

From: Roman Medina-Heigl Hernandez <roman () rs-labs com>
Date: Thu, 23 Feb 2006 20:23:01 +0100

Serg Belokamen wrote:

I am quiet sure you can't exploit $_SERVER["SCRIPT_NAME"] variable
unless there is a buffer overflow or something, but then again you
would be limited by the size of data allowed withing GET request... So
doubt you get anything evil out of that.


I also talked privately with other folks like FX and Steffan Esser. They
told me both that the normalization of that variable (amongst others, I
suppose) depends on the web server being used. I only had time to do some
quick tests with Apache 1.3.x and Apache 2.0.x, and they result the same
(for instance, "/dir1/../dir2/script.php" gets normalized to
"/dir2/script.php"). Have somebody done similar tests and noted different
behaviours between different web servers? Examples?

However if you swap yoru example from:

$_SERVER["SCRIPT_NAME"]

to

$_SERVER["PHP_SELF"]


Yes, I know. If the variable in question was PHP_SELF, the game would be
over and I'd have my "problem" solved. But unfortunately it's not the case.

-- 

Saludos,
-Roman

PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]

Current thread:

PHP and SCRIPT_NAME variable Roman Medina-Heigl Hernandez (Feb 21)
- <Possible follow-ups>
- Re: PHP and SCRIPT_NAME variable contact (Feb 21)
  - Message not available
    - Re: PHP and SCRIPT_NAME variable Harald Eder (Feb 22)
    - Re: PHP and SCRIPT_NAME variable Serg Belokamen (Feb 23)
    - Re: PHP and SCRIPT_NAME variable Roman Medina-Heigl Hernandez (Feb 23)