[VIM] Ig-shop change_pass.php XSS - 2 vectors
Steven M. Christey
coley at linus.mitre.org
Tue Oct 31 17:59:38 EST 2006
For a second I thought I'd had a huge misunderstanding about PHP_SELF,
then things became OK. I guess there's a particular subtlety that hasn't
reached widespread awareness.
> The $PHP_SELF variable returns the script name, but not the query
> parameters (manual says: "The filename of the currently executing
> script, relative to the document root"). So the 'action' parameter
> shouldn't be a valid exploit vector.
The population of PHP_SELF seems to get confused sometimes, or at least
returns unexpected values. This might be related to how Apache parses PHP
requests, I don't know.
Take an example abc.php (tested on PHP 4.3 on Apache):
gives the XSS dialog we all know and love.
Looks like the request is parsed into "before ?" and "after ?", and
anything before "?" is dumped into PHP_SELF.
So, for ig-shop, what happens if you use something like:
http://site.com/ig-shop/change_pass.php/action=">[etc. etc. etc]
i.e., a "/" between change_pass.php and action?
More information about the VIM