[VIM] Ig-shop change_pass.php XSS - 2 vectors

Steven M. Christey coley at linus.mitre.org
Tue Oct 31 17:59:38 EST 2006


Stuart,

For a second I thought I'd had a huge misunderstanding about PHP_SELF,
then things became OK.  I guess there's a particular subtlety that hasn't
reached widespread awareness.

> The $PHP_SELF variable returns the script name, but not the query
> parameters (manual says: "The filename of the currently executing
> script, relative to the document root").  So the 'action' parameter
> shouldn't be a valid exploit vector.

The population of PHP_SELF seems to get confused sometimes, or at least
returns unexpected values.  This might be related to how Apache parses PHP
requests, I don't know.

Take an example abc.php (tested on PHP 4.3 on Apache):

  echo $_SERVER['PHP_SELF'];

Calling this:

  http://url/abc.php/param=<script>alert('hi')</script>

gives the XSS dialog we all know and love.

Looks like the request is parsed into "before ?" and "after ?", and
anything before "?" is dumped into PHP_SELF.

So, for ig-shop, what happens if you use something like:

  http://site.com/ig-shop/change_pass.php/action=">[etc. etc. etc]

i.e., a "/" between change_pass.php and action?

- Steve


More information about the VIM mailing list