[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PHP and SCRIPT_NAME variable



Serg Belokamen wrote:
> I am quiet sure you can't exploit $_SERVER["SCRIPT_NAME"] variable
> unless there is a buffer overflow or something, but then again you
> would be limited by the size of data allowed withing GET request... So
> doubt you get anything evil out of that.

I also talked privately with other folks like FX and Steffan Esser. They
told me both that the normalization of that variable (amongst others, I
suppose) depends on the web server being used. I only had time to do some
quick tests with Apache 1.3.x and Apache 2.0.x, and they result the same
(for instance, "/dir1/../dir2/script.php" gets normalized to
"/dir2/script.php"). Have somebody done similar tests and noted different
behaviours between different web servers? Examples?

> However if you swap yoru example from:
> 
> $_SERVER["SCRIPT_NAME"]
> 
> to
> 
> $_SERVER["PHP_SELF"]

Yes, I know. If the variable in question was PHP_SELF, the game would be
over and I'd have my "problem" solved. But unfortunately it's not the case.

-- 

Saludos,
-Roman

PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]