Question about $_SERVER['request_uri']

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
0sinner
Forum Newbie
Posts: 12
Joined: Tue Aug 18, 2009 4:06 pm

Question about $_SERVER['request_uri']

Post by 0sinner »

Hello PHP community,

As the subject title says my question is regarding the value of $_SERVER['request_uri'] or more generally about all header's sent from the user.

Have these headers been in any way preprocessed before my code sees it? Is it possible to have a totally abnormal "request_uri"?

For instance I'm expecting
'/index.php'
or '/dr/'

Will PHP automatically throw away the garbage requests like:
'www.totallydifferentsite.com/jk.php'
or '//jk////kewl'


Thanks for your time,
~0
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: Question about $_SERVER['request_uri']

Post by Eric! »

I think the browser (client) related header data all start with HTTP_* like HTTP_USER_AGENT. I think REQUEST_URI originates from the server. So to spoof it your server would have to have been compromised.

If register_globals is turned on then you might have a problem though.
nitin2020
Forum Newbie
Posts: 1
Joined: Tue Sep 15, 2009 8:07 am

Re: Question about $_SERVER['request_uri']

Post by nitin2020 »

Hi,

No, PHP will not throw away garbage request automatically. You would be required to filter the input and act accordingly. for more information, you may contact me at http://www.hichicfashion.com/
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: Question about $_SERVER['request_uri']

Post by Eric! »

0sinner wrote:Will PHP automatically throw away the garbage requests like:
'www.totallydifferentsite.com/jk.php'
or '//jk////kewl'
Actually, your server will throw away garbage requests if it doesn't know what do to with them. You'll have to be more descriptive about your question if you think this somehow relates to PHP. I assume you are worried about people spoofing the REQUEST_URI in a form of XSS attack? But that won't happen unless you already have a script running that has an XSS hole in it on your server. The REQUEST_URI can't be spoofed by itself.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Question about $_SERVER['request_uri']

Post by Mordred »

$_SERVER['REQUEST_URI'] can contain user-supplied input. XSS attacks are possible, if you output the value directly.
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Question about $_SERVER['request_uri']

Post by jackpf »

A bit off topic..

But I currently record the URI each user is on on my website, so I can do stuff like see how many people are viewing certain threads etc...

I just insert $_SERVER['REQUEST_URI'] into the database. But one person had "http://www.yahoo.com" as their URI in the db 8O

I've always wondered how that got there...

But yes, the URI consists of user supplied data...so cannot be guaranteed as safe.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Question about $_SERVER['request_uri']

Post by Mordred »

Depending on the server configuration, it is possible to send a request for yahoo.com and be handled on your server - either modify the Host: header or list the IP of the server in question in the hosts file for yahoo.com.
0sinner
Forum Newbie
Posts: 12
Joined: Tue Aug 18, 2009 4:06 pm

Re: Question about $_SERVER['request_uri']

Post by 0sinner »

Wow thanks for the explosion of responses. Lots of information.

@nitin2020, I'll try to go to your site to contact you, but I'd like to hear more from you about this.

@Eric! I wasn't actually thinking about an XSS attack when asking this question. Just I seem to be doing a tonne of validation on forms for everything submitted by the user from a possible custom form, and I'm wondering what php-side variables are influenced by the user so that I can validate them as well.

@Mordred, like I said to Eric, I'm not really sure how the 'REQUEST_URI' is used in XSS attacks, but I will definitely be googling it now to check if any of my pages are vulnerable.

@jackpf, that is very interesting. I wonder if I should account for such things. I was going to validate the 'REQUEST_URI' using a regex. I don't mind if people get rerouted to my page for one reason or another so I think I will support that type of 'REQUEST_URI'. Definitely something I need to consider. Thanks for your input.

@Mordred(again). Would it really depend on the server configuration? Wouldn't the clients hosts file be in question? I'm unsure what you mean by "modify the Host: header" as that may be a little low-level technical for my knowledge, but I would like it if you expanded on that.
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: Question about $_SERVER['request_uri']

Post by Eric! »

Shesh, was I stupid. I thought REQUEST_URI came strictly from the server and was like SCRIPT_NAME. But no. It still passes on the query crap from the user. So I played with it a bit and found it has the same xss problems as $_SERVER['PHP_SELF'].

@0sinner How the XSS works is if you echo either PHP_SELF or REQUEST_URI it will carry through the query string.

So if in your code you have a raw
echo $_SERVER['REQUEST_URI']; // no filtering of the data

And someone goes to your page with
http://example.com/testpage.php?%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E

They get to run their stuff on your server. (In this example a harmless <script>alert('xss')</script> )

@jack do you get domain info with your path or did the domain just get inserted in the query part?
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Question about $_SERVER['request_uri']

Post by jackpf »

I don't think I have the record any more...I must have cleared my logs since then.

But I think it was just "http://www.yahoo.com". I would have thought that if it was a valid request, it would be at least "/http://www.yahoo.com" (notice the forward slash at the beginning), since if someone just visited "jackpf.co.uk/", then $_SERVER['REQUEST_URI'] would == "/"...but who knows.

I think it's just one of those unexplicable mysteries 8O
Post Reply