Full Disclosure mailing list archives
PHP and SCRIPT_NAME variable
From: Roman Medina-Heigl Hernandez <roman () rs-labs com>
Date: Mon, 20 Feb 2006 16:06:23 +0100
Hello, Last week I was thinking about the possibility for an external attacker to influence over the following PHP variable: $_SERVER['SCRIPT_NAME'] The former variable contains the remote path (URI) to a PHP script, so if for instance you access with a browser to: http://<site>/aa/bb/cc/script.php Then SCRIPT_NAME will contain "/aa/bb/cc/script.php" I did some basic tests with PHP 4.3.10 and the implementation seems to be safe: - For instance, if you access something like: http://<site>/aa/bb/../dd/cc/script.php Then SCRIPT_NAME will be "/aa/dd/cc/script.php" instead of "/aa/bb/../dd/cc/script.php" - If you try: http://<site>/aa/bb/cc/script.php/something or http://<site>/aa/bb/cc/script.php?something Then SCRIPT_NAME will contain "/aa/bb/cc/script.php" My goal is to be able to add some attacker-specified string to the variable. Two questions: 1) Do you know of any trick/method by which an attacker could alter SCRIPT_NAME variable? (obviusly without having access to docroot directory and/or edit httpd.conf) 2) Perhaps older PHP versions didn't sanitize SCRIPT_NAME variable correctly and could be abused? Any idea? TIA. Cheers, -Román _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- PHP and SCRIPT_NAME variable Roman Medina-Heigl Hernandez (Feb 20)