[VIM] Ig-shop change_pass.php XSS - 2 vectors
Stuart Moore
smoore at securityglobal.net
Tue Oct 31 20:15:21 EST 2006
Steve,
You are right, this works:
change_pass.php/action=">[etc. etc. etc]
It is possible that the following could work on some Apache configs
(especially if mod_rewrite is rewriting the URL):
change_pass.php?action=">[etc. etc. etc]
Either way, the functioning of $PHP_SELF does not seem consistent w/ the
PHP documentation. I noticed that the variable has a long history of
bugs and documentation inconsistencies ...
Stuart
Steven M. Christey wrote:
> Stuart,
>
> For a second I thought I'd had a huge misunderstanding about PHP_SELF,
> then things became OK. I guess there's a particular subtlety that hasn't
> reached widespread awareness.
>
>> The $PHP_SELF variable returns the script name, but not the query
>> parameters (manual says: "The filename of the currently executing
>> script, relative to the document root"). So the 'action' parameter
>> shouldn't be a valid exploit vector.
>
> The population of PHP_SELF seems to get confused sometimes, or at least
> returns unexpected values. This might be related to how Apache parses PHP
> requests, I don't know.
>
> Take an example abc.php (tested on PHP 4.3 on Apache):
>
> echo $_SERVER['PHP_SELF'];
>
> Calling this:
>
> http://url/abc.php/param=<script>alert('hi')</script>
>
> gives the XSS dialog we all know and love.
>
> Looks like the request is parsed into "before ?" and "after ?", and
> anything before "?" is dumped into PHP_SELF.
>
> So, for ig-shop, what happens if you use something like:
>
> http://site.com/ig-shop/change_pass.php/action=">[etc. etc. etc]
>
> i.e., a "/" between change_pass.php and action?
>
> - Steve
>
More information about the VIM
mailing list