jump to navigation

Preventing XSS via PHP’s Super-Global “$_SERVER[‘PHP_SELF’]” Variable November 16, 2011

Posted by Tournas Dimitrios in PHP.
trackback

There is one golden rule for web developers , never trust data submitted by visitors . For example , by mistake  a visitor can “crash” the current webpage session when he submit text into a phone  form-field . Most likely the database is configured to accept only numerical values into its phone record’s  and  responds with a “fatal error” if the data isn’t the expected format  . Depending on web server’s configurations , the visitor get a weird message displayed on the screen , not a pleasant experience . In a worst case scenario an hacker could gain access  our webpage and “sniff” all  feedback submitted through forms by our visitors  . 

 Of course we can defence against the two pre-mentioned scenario’s by filtering and sanitizing all submitted data from our visitors . This article is only focused on the weakness of PHP’s  ” $_SERVER[‘PHP_SELF ” variable . PHP_SELF is a super-global variable that returns the name and path of the current file (from the root folder) . It is  used in the ” action” attribute of a form   . For instance , $_SERVER[‘PHP_SELF’] in a script at the address http://example.com/testfolder/foo.php  would return the value  ”  /testfolder/foo.php ” . The ” action” attribute of the form instructs where to submit the form data when the user presses the “submit” button . It is common to have the same PHP page as the handler for the form as well . However , good programming strategies define to build portable code , so the path of the “action ” attribute is not hard-coded into the form  but created dynamically with the help of PHP’s “$_SERVER[‘PHP_SELF  ” variable . And what’s the point , you may ask ….  , consider the following PHP code .

<?php

if(isset($_POST['submit']))

{

$name = $_POST['name'];

echo "Your name is : <b> $name </b>";

echo "<br>Change your name by submitting a new name in the following form .";

}

?>

<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">

<input type="text" name="name">


<input type="submit" name="submit" value="Submitt new name ">


</form>

In a worst case scenario a hacker called this script by entering the following URL in the browser’s address bar :

http://www.example.com/testfolder/%22%3E%3Cscript%3Ealert('Hacked')%3C
/script%3E%3foo%22
/*
In this case , after PHP processing the code becomes
*/
<form name="test" method="post" action="/testfolder"/><script>alert('Hacked')</script>foo.php""> 

The exploit just added a script tag and an javascript alert statement . When this page is be loaded , user will see an alert box . This is just a simple example how the PHP_SELF variable can be exploited . Any JavaScript code can be added between the “script” tag .  A hacker can link to a JavaScript file that may be located on another server . That JavaScript file can hold the malicious code that can alter the global variables and  submit the form to another address to capture the user’s submitted data , for example . The following code avoids PHP_SELF exploits by using PHP’s build-in htmlentities() function :

<?php 

if(isset($_POST['submit'])) 

{ 

$name = $_POST['name']; 

echo "Your name is : <b> $name </b>"; 

echo "<br>Change your name by submitting a new name in the following form ."; 

} 

?> 

<form method="post" action="<?php echo htmlentities($_SERVER['PHP_SELF']); ?>"> 


<input type="text" name="name"><br> 

<input type="submit" name="submit" value="Submitt new name "><br> 

</form> 

The htmlentities()  function converts all applicable characters to HTML entities and any attempt to entering malicious code in the URL will fail . Although some PHP servers are configured to solve this issue and they automatically do this conversion , a good web developer should not take the risk and sanitize all submitted form data  . Happy coding 🙂

Comments»

No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s