« Displaying Chinese UTF-8 characters in gvim on Windows Prosper's insecure bank account management feature »

$_SERVER['PHP_SELF'] and cross-site scripting

Monday, May 20, 2013

It's tempting to assume that PHP's $_SERVER array mostly contains fields out of the reach of an attacker, since these are "server" variables. However, that's not always the case; in particular, the seemingly innocuous PHP_SELF field can be a vector for cross-site scripting.

For example, consider the following foo.php:

<form method="POST" action="<?php echo $_SERVER['PHP_SELF'] ?>">
    <!-- ...form elements... -->
</form>

If I visit http://www.example.com/foo.php, $_SERVER['PHP_SELF'] will be /foo.php and everything will work correctly.

But what if I visit http://www.example.com/foo.php/"><script>alert('hello');</script> instead? Then the rendered HTML will be:

<form method="POST" action="/foo.php/"><script>alert('hello');</script>">
    <!-- ...form elements... -->
</form>

This allows injection of arbitrary script running under the host site's context, also known as XSS. Two ways to fix this are:

  • Use $_SERVER['SCRIPT_NAME'] instead of $_SERVER['PHP_SELF']. The former is the name of the actual script file and can't normally be manipulated by an attacker.
  • Use htmlspecialchars(), which by default will escape double-quotes and prevent a user-supplied string from breaking out of an HTML attribute context.

By the way, this was pretty surprising behavior to me for two reasons:

  • The documentation of PHP_SELF is misleading: The first sentence says:

    The filename of the currently executing script, relative to the document root.

    It seems odd that PHP would refer to something like /foo.php/"><script>alert('hello');</script> as a "filename."
  • It's pretty bizarre default behavior that PHP will execute /foo.php for a request of /foo.php/bar/baz.

Tags: php, xss, security | Posted at 11:13 | Comments (4)

Comments

David Annis on Wednesday, June 25, 2014 at 06:32

I have used the fact that php will execute /foo.php from a request that contains /foo.php/bar to make search engine friendly URLs because many search engines will not index both wheretodrink.php?answer=bar and wheretodrink.php?answer=home because they fear an infinite set of URLs.

JamesJoiva on Thursday, June 12, 2025 at 06:05

Круглозвенные цепи — это не просто элемент механики, а настоящая находка для бизнеса! Они широко используются в различных отраслях: от сельского хозяйства до строительства, обеспечивая надежную передачу усилия и долговечность - https://saumalkol.com/forum/%D1%80%D0%B0%D0%B7%D0%BD%D0%BE%D0%B5-1/9444-%D0%BF%D0%BE%D1%87%D0%B5%D0%BC%D1%83-%D0%BC%D1%8B-%D1%81%D1%82%D0%B0%D0%B2%D0%B8%D0%BC-%D0%BD%D0%B0-%D1%81%D0%B2%D0%BE%D0%B8-%D0%BF%D0%BE%D0%B4%D1%88%D0%B8%D0%BF%D0%BD%D0%B8%D0%BA%D0%B8-%E2%80%94-%D0%BB%D0%B8%D1%87%D0%BD%D1%8B%D0%B9-%D0%BE%D0%BF%D1%8B%D1%82-%D0%BF%D1%80%D0%BE%D0%B8%D0%B7%D0%B2%D0%BE%D0%B4%D0%B8%D1%82%D0%B5%D0%BB%D1%8F.html - подшипники

Michaelwer on Sunday, June 15, 2025 at 16:05

<a href=https://copicsketch.ru/>https://copicsketch.ru/</a>

JamesJoiva on Sunday, June 15, 2025 at 18:07

Круглозвенные цепи — это не просто элемент механики, а настоящая находка для бизнеса! Они широко используются в различных отраслях: от сельского хозяйства до строительства, обеспечивая надежную передачу усилия и долговечность - https://saumalkol.com/forum/%D1%80%D0%B0%D0%B7%D0%BD%D0%BE%D0%B5-1/9444-%D0%BF%D0%BE%D1%87%D0%B5%D0%BC%D1%83-%D0%BC%D1%8B-%D1%81%D1%82%D0%B0%D0%B2%D0%B8%D0%BC-%D0%BD%D0%B0-%D1%81%D0%B2%D0%BE%D0%B8-%D0%BF%D0%BE%D0%B4%D1%88%D0%B8%D0%BF%D0%BD%D0%B8%D0%BA%D0%B8-%E2%80%94-%D0%BB%D0%B8%D1%87%D0%BD%D1%8B%D0%B9-%D0%BE%D0%BF%D1%8B%D1%82-%D0%BF%D1%80%D0%BE%D0%B8%D0%B7%D0%B2%D0%BE%D0%B4%D0%B8%D1%82%D0%B5%D0%BB%D1%8F.html - подшипники

Add a comment

Name:
Email: (optional, not displayed to public)
URL: (do not fill this in — leave blank!)

Comment: