PHP and SCRIPT_NAME variable

[Roman Medina-Heigl Hernandez <roman () rs-labs com>]

Hello,

Last week I was thinking about the possibility for an external attacker to
influence over the following PHP variable:
$_SERVER['SCRIPT_NAME']

The former variable contains the remote path (URI) to a PHP script, so if
for instance you access with a browser to:
http://<site>/aa/bb/cc/script.php
Then SCRIPT_NAME will contain "/aa/bb/cc/script.php"

I did some basic tests with PHP 4.3.10 and the implementation seems to be safe:
- For instance, if you access something like:
http://<site>/aa/bb/../dd/cc/script.php
Then SCRIPT_NAME will be "/aa/dd/cc/script.php"
instead of "/aa/bb/../dd/cc/script.php"
- If you try:
http://<site>/aa/bb/cc/script.php/something
or
http://<site>/aa/bb/cc/script.php?something
Then SCRIPT_NAME will contain "/aa/bb/cc/script.php"

My goal is to be able to add some attacker-specified string to the
variable. Two questions:
1) Do you know of any trick/method by which an attacker could alter
SCRIPT_NAME variable? (obviusly without having access to docroot directory
and/or edit httpd.conf)
2) Perhaps older PHP versions didn't sanitize SCRIPT_NAME variable
correctly and could be abused? Any idea?

TIA.

Cheers,
-Román
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/