[VIM] Ig-shop change_pass.php XSS - 2 vectors

Stuart Moore smoore at securityglobal.net
Tue Oct 31 20:15:21 EST 2006


Steve,

You are right, this works:

change_pass.php/action=">[etc. etc. etc]

It is possible that the following could work on some Apache configs 
(especially if mod_rewrite is rewriting the URL):

change_pass.php?action=">[etc. etc. etc]

Either way, the functioning of $PHP_SELF does not seem consistent w/ the 
PHP documentation.  I noticed that the variable has a long history of 
bugs and documentation inconsistencies ...

Stuart


Steven M. Christey wrote:
> Stuart,
> 
> For a second I thought I'd had a huge misunderstanding about PHP_SELF,
> then things became OK.  I guess there's a particular subtlety that hasn't
> reached widespread awareness.
> 
>> The $PHP_SELF variable returns the script name, but not the query
>> parameters (manual says: "The filename of the currently executing
>> script, relative to the document root").  So the 'action' parameter
>> shouldn't be a valid exploit vector.
> 
> The population of PHP_SELF seems to get confused sometimes, or at least
> returns unexpected values.  This might be related to how Apache parses PHP
> requests, I don't know.
> 
> Take an example abc.php (tested on PHP 4.3 on Apache):
> 
>   echo $_SERVER['PHP_SELF'];
> 
> Calling this:
> 
>   http://url/abc.php/param=<script>alert('hi')</script>
> 
> gives the XSS dialog we all know and love.
> 
> Looks like the request is parsed into "before ?" and "after ?", and
> anything before "?" is dumped into PHP_SELF.
> 
> So, for ig-shop, what happens if you use something like:
> 
>   http://site.com/ig-shop/change_pass.php/action=">[etc. etc. etc]
> 
> i.e., a "/" between change_pass.php and action?
> 
> - Steve
> 


More information about the VIM mailing list