Vulnwatch mailing list archives
Apache/PHP REQUEST_METHOD XSS Vulnerability
From: "Michal Majchrowicz" <m.majchrowicz () gmail com>
Date: Mon, 23 Apr 2007 23:31:34 +0200
There exist a flaw in a way how Apache and php combination handle the $_SERVER array. If the programmer writes scrip like this: <?php echo $_SERVER['REQUEST_METHOD']; ?> He will assume that REQUEST_METHOD can only by: GET,POST,OPTIONS,TRACE and all that stuff. However this is not true, since Apache accepts requests that look like this: GET<script>alert(document.coookie);</script> /test.php HTTP/1.0 And the output for this would be: GET<script>alert(document.coookie);</script> Of course it is hard to exploit (I think some Flash might help ;)) and I don't know if it is exploitable at all. But programmers should be warned about this behaviour. You can't trust any variable in the $_SERVER table! Regards Michal Majchrowicz.
Current thread:
- Apache/PHP REQUEST_METHOD XSS Vulnerability Michal Majchrowicz (Apr 23)