Nmap Development mailing list archives

Re: http-phpself-xss

From: Paulino Calderon <paulino () calderonpale com>
Date: Mon, 30 May 2011 12:55:58 -0700

Correct. Lots of developers use $_SERVER["PHP_SELF"] to retrieve the
script's name without escaping it first not knowing that attackers can
tamper this variable.

Other examples are:
*http://www.mc2design.com/blog/php_self-safe-alternatives
*http://www.securityfocus.com/bid/37351
*http://software-security.sans.org/blog/2011/05/02/spot-vuln-percentage

I'll submit a new script to scan for more generic cross site scripting
vulnerabilities after I make sure the crawling / parsing of all the
malformed documents out there works correctly ;)

Cheers.

On 05/30/2011 07:54 AM, Abuse007 wrote:

> If I'm not mistaken the script is not trying to exploit the phpparameters, such as data in your second example, but rather the PHP_SELFvariable which is set the the relative URL of the currently executingscript - including what comes after the php file.

>
> From the doco: -
>

> The filename of the currently executing script,relative to thedocument root. For instance,$_SERVER['PHP_SELF'] in a script at theaddresshttp://example.com/test.php/foo.bar would be /test.php/foo.bar.

>
>
>
> See: -
> http://spotthevuln.com/2009/10/privilege-escalation-one-damn-thing/
>
> Cheers
>
>
>
> On 30/05/2011, at 11:07 PM, "Hans Nilsson"<hasse_gg () ftml net> wrote:
>
>
>> What about when only certain variables are vulnerable?
>>
>> For example
>> example.com/test.php?<script>alert(1)</script>
>> may not work when
>> example.com/test.php?data=<script>alert(1)</script>
>> works.
>>
>> Or what about if only POST-data is vulnerable?
>>
>> /Hans
>>
>>
>> On Sun, 29 May 2011 03:04 -0700, "Paulino Calderon"
>> <paulino () calderonpale com> wrote:
>>
>>> Hi everyone,
>>>
>>> I'm attaching my script 'http-phpself-xss', this script detects php
>>> files vulnerable to Phpself Cross Site Scripting(*) in a web server.
>>>

>>> First, the script crawls the webserver to list all php files andthen it

>>> sends an attack probe to identify all vulnerable scripts.
>>>
>>> Feel free to test this script against my dummy app ->
>>> http://calder0n.com/sillyapp/
>>>
>>> (*) Phpself Cross Site Scripting vulnerabilities refers to cross site
>>> scripting vulnerabilities caused by the lack of sanitation of the
>>> variable $_SERVER["PHP_SELF"] in PHP scripts/web applications.
>>>
>>> Cheers.
>>>
>>> --
>>> Paulino Calderón Pale
>>> Web: http://calderonpale.com
>>> Twitter: @paulinocaIderon
>>>
>>>
>>> _______________________________________________
>>> Sent through the nmap-dev mailing list
>>> http://cgi.insecure.org/mailman/listinfo/nmap-dev
>>> Archived at http://seclists.org/nmap-dev/
>>> Email had 1 attachment:
>>> + http-phpself-xss.nse
>>> 12k (text/plain)
>>>
>> --
>> Hans Nilsson
>> hasse_gg () ftml net
>>
>> --
>> http://www.fastmail.fm - A no graphics, no pop-ups email service
>>
>> _______________________________________________
>> Sent through the nmap-dev mailing list
>> http://cgi.insecure.org/mailman/listinfo/nmap-dev
>> Archived at http://seclists.org/nmap-dev/
>>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/


--
Paulino Calderón Pale
Web: http://calderonpale.com
Twitter: @paulinocaIderon

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

http-phpself-xss Paulino Calderon (May 29)
- Re: http-phpself-xss Hans Nilsson (May 30)
  - Re: http-phpself-xss Abuse007 (May 30)
- <Possible follow-ups>
- Re: http-phpself-xss Paulino Calderon (May 30)