Full Disclosure mailing list archives
Re: Apache/PHP REQUEST_METHOD XSS Vulnerability
From: Vincent Archer <varcher () denyall com>
Date: Wed, 25 Apr 2007 11:35:57 +0200
On Tue, 2007-04-24 at 20:03 +0300, عبد الله احمد عنان wrote:
This is a case of poor-programming, on the script coder's part, it is not so much a vunerability.
In that case, nobody's talking about vulnerabilities on this list, only poor programming. :) The problem in here is that the programmer "assumes" that the variables do have a proper value checking done prior to handling off to the script engine. HTTP_METHOD is well defined. One would assume apache has validated the method somehow. Unfortunately, this assumption was flawed.
That variable only contains what it is sent by apache. it doesn't parse it. nor is it supposed to.
However, it (apache) should perform integrity checks, because it has the capacity to do so.
This CAN be a vulnerability with individual scripts, however, it is not a vuln with PHP or Apache.
Not with PHP. But I would agree with the original programmer that apache is in fault here. Apache should have done the expected work, and validated that the request was standards-compliant. It didn't, and that opens up a huge chasm in which plenty of problems, vulnerabilities and others, may hide. -- Vincent ARCHER varcher () denyall com Tel : +33 (0)1 40 07 47 14 Fax : +33 (0)1 40 07 47 27 Deny All - 23, rue Notre Dame des Victoires - 75002 Paris - France _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Apache/PHP REQUEST_METHOD XSS Vulnerability Michal Majchrowicz (Apr 23)
- Re: Apache/PHP REQUEST_METHOD XSS Vulnerability Kradorex Xeron (Apr 23)
- Re: Apache/PHP REQUEST_METHOD XSS Vulnerability Michał Majchrowicz (Apr 23)
- Message not available
- Message not available
- Re: Apache/PHP REQUEST_METHOD XSS Vulnerability Michal Majchrowicz (Apr 23)
- Re: Apache/PHP REQUEST_METHOD XSS Vulnerability Michał Majchrowicz (Apr 23)
- Re: Apache/PHP REQUEST_METHOD XSS Vulnerability Kradorex Xeron (Apr 24)
- Re: Apache/PHP REQUEST_METHOD XSS Vulnerability Michał Majchrowicz (Apr 24)
- Re: Apache/PHP REQUEST_METHOD XSS Vulnerability Kradorex Xeron (Apr 23)
- Re: Apache/PHP REQUEST_METHOD XSS Vulnerability عبد الله احمد عنان (Apr 24)
- Re: Apache/PHP REQUEST_METHOD XSS Vulnerability Vincent Archer (Apr 25)
- Re: Apache/PHP REQUEST_METHOD XSS Vulnerability Kradorex Xeron (Apr 25)
- Re: Apache/PHP REQUEST_METHOD XSS Vulnerability Vincent Archer (Apr 25)
- Re: Apache/PHP REQUEST_METHOD XSS Vulnerability Michal Majchrowicz (Apr 23)
- Re: [VulnWatch] Apache/PHP REQUEST_METHOD XSS Vulnerability Michal Majchrowicz (Apr 24)