<div dir="rtl">This is a case of poor-programming, on the script coder's part, it is not so<br>much a vunerability.<br><br>That variable only contains what it is sent by apache. it doesn't parse it.<br>nor is it supposed to. If you want to ensure there is no XSS going on, parse
<br>the variable, escape characters, etc as it IS user input.<br><br>This CAN be a vulnerability with individual scripts, however, it is not a vuln<br>with PHP or Apache.<br><br>On Monday 23 April 2007 17:31, Michal Majchrowicz wrote:
<br>> There exist a flaw in a way how Apache and php combination handle the<br>> $_SERVER array.<br>> If the programmer writes scrip like this:<br>> <?php<br>> echo $_SERVER['REQUEST_METHOD'];
<br>> ?><br>> He will assume that REQUEST_METHOD can only by: GET,POST,OPTIONS,TRACE<br>> and all that stuff. However this is not true, since Apache accepts<br>> requests that look like this:<br>> GET<script>alert(
document.coookie);</script> /test.php HTTP/1.0<br>> And the output for this would be:<br>> GET<script>alert(document.coookie);</script><br>> Of course it is hard to exploit (I think some Flash might help ;)) and
<br>> I don't know if it is exploitable at all. But programmers should be<br>> warned about this behaviour. You can't trust any variable in the<br>> $_SERVER table!<br>> Regards Michal Majchrowicz.<br>
><br><br><br>
<div><span class="gmail_quote">2007/4/24, Micha³ Majchrowicz <<a href="mailto:mmajchrowicz@gmail.com">mmajchrowicz@gmail.com</a>>:</span>
<blockquote class="gmail_quote" style="BORDER-RIGHT: #ccc 1px solid; PADDING-RIGHT: 1ex; PADDING-LEFT: 1ex; MARGIN: 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"><br>I agree. But (as a programmer) would you assume that there can be such
<br>things in the REQUEST_METHOD? The flaw is that Apache accepts anything<br>after the valid request i.e. GET. There should be an error the the<br>request was not correct.<br>Regards Michal.<br><br>On 4/24/07, Kradorex Xeron <
<a href="mailto:admin@digibase.ca">admin@digibase.ca</a>> wrote:<br>> This is a case of poor-programming, on the script coder's part, it is not so<br>> much a vunerability.<br>><br>> That variable only contains what it is sent by apache. it doesn't parse it.
<br>> nor is it supposed to. If you want to ensure there is no XSS going on, parse<br>> the variable, escape characters, etc as it IS user input.<br>><br>> This CAN be a vulnerability with individual scripts, however, it is not a vuln
<br>> with PHP or Apache.<br>><br>> On Monday 23 April 2007 17:31, Michal Majchrowicz wrote:<br>> > There exist a flaw in a way how Apache and php combination handle the<br>> > $_SERVER array.<br>> > If the programmer writes scrip like this:
<br>> > <?php<br>> > echo $_SERVER['REQUEST_METHOD'];<br>> > ?><br>> > He will assume that REQUEST_METHOD can only by: GET,POST,OPTIONS,TRACE<br>> > and all that stuff. However this is not true, since Apache accepts
<br>> > requests that look like this:<br>> > GET<script>alert(document.coookie);</script> /test.php HTTP/1.0<br>> > And the output for this would be:<br>> > GET<script>alert(document.coookie
);</script><br>> > Of course it is hard to exploit (I think some Flash might help ;)) and<br>> > I don't know if it is exploitable at all. But programmers should be<br>> > warned about this behaviour. You can't trust any variable in the
<br>> > $_SERVER table!<br>> > Regards Michal Majchrowicz.<br>> ><br>> > _______________________________________________<br>> > Full-Disclosure - We believe in it.<br>> > Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">
http://lists.grok.org.uk/full-disclosure-charter.html</a><br>> > Hosted and sponsored by Secunia - <a href="http://secunia.com/">http://secunia.com/</a><br>><br>> _______________________________________________
<br>> Full-Disclosure - We believe in it.<br>> Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>> Hosted and sponsored by Secunia -
<a href="http://secunia.com/">http://secunia.com/</a><br>><br><br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">
http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/">http://secunia.com/</a><br></blockquote></div><br></div>