Vulnerability Development mailing list archives
Re: PHP and SCRIPT_NAME variable
From: Roman Medina-Heigl Hernandez <roman () rs-labs com>
Date: Thu, 23 Feb 2006 20:23:01 +0100
Serg Belokamen wrote:
I am quiet sure you can't exploit $_SERVER["SCRIPT_NAME"] variable unless there is a buffer overflow or something, but then again you would be limited by the size of data allowed withing GET request... So doubt you get anything evil out of that.
I also talked privately with other folks like FX and Steffan Esser. They told me both that the normalization of that variable (amongst others, I suppose) depends on the web server being used. I only had time to do some quick tests with Apache 1.3.x and Apache 2.0.x, and they result the same (for instance, "/dir1/../dir2/script.php" gets normalized to "/dir2/script.php"). Have somebody done similar tests and noted different behaviours between different web servers? Examples?
However if you swap yoru example from: $_SERVER["SCRIPT_NAME"] to $_SERVER["PHP_SELF"]
Yes, I know. If the variable in question was PHP_SELF, the game would be over and I'd have my "problem" solved. But unfortunately it's not the case. -- Saludos, -Roman PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ]
Current thread:
- PHP and SCRIPT_NAME variable Roman Medina-Heigl Hernandez (Feb 21)
- <Possible follow-ups>
- Re: PHP and SCRIPT_NAME variable contact (Feb 21)
- Message not available
- Re: PHP and SCRIPT_NAME variable Harald Eder (Feb 22)
- Re: PHP and SCRIPT_NAME variable Serg Belokamen (Feb 23)
- Re: PHP and SCRIPT_NAME variable Roman Medina-Heigl Hernandez (Feb 23)
- Message not available