Page 1 of 1

Question about $_SERVER['request_uri']

Posted: Mon Sep 14, 2009 10:26 pm
by 0sinner
Hello PHP community,

As the subject title says my question is regarding the value of $_SERVER['request_uri'] or more generally about all header's sent from the user.

Have these headers been in any way preprocessed before my code sees it? Is it possible to have a totally abnormal "request_uri"?

For instance I'm expecting
'/index.php'
or '/dr/'

Will PHP automatically throw away the garbage requests like:
'www.totallydifferentsite.com/jk.php'
or '//jk////kewl'


Thanks for your time,
~0

Re: Question about $_SERVER['request_uri']

Posted: Mon Sep 14, 2009 11:50 pm
by Eric!
I think the browser (client) related header data all start with HTTP_* like HTTP_USER_AGENT. I think REQUEST_URI originates from the server. So to spoof it your server would have to have been compromised.

If register_globals is turned on then you might have a problem though.

Re: Question about $_SERVER['request_uri']

Posted: Tue Sep 15, 2009 8:12 am
by nitin2020
Hi,

No, PHP will not throw away garbage request automatically. You would be required to filter the input and act accordingly. for more information, you may contact me at http://www.hichicfashion.com/

Re: Question about $_SERVER['request_uri']

Posted: Tue Sep 15, 2009 8:19 am
by Eric!
0sinner wrote:Will PHP automatically throw away the garbage requests like:
'www.totallydifferentsite.com/jk.php'
or '//jk////kewl'
Actually, your server will throw away garbage requests if it doesn't know what do to with them. You'll have to be more descriptive about your question if you think this somehow relates to PHP. I assume you are worried about people spoofing the REQUEST_URI in a form of XSS attack? But that won't happen unless you already have a script running that has an XSS hole in it on your server. The REQUEST_URI can't be spoofed by itself.

Re: Question about $_SERVER['request_uri']

Posted: Tue Sep 15, 2009 10:15 am
by Mordred
$_SERVER['REQUEST_URI'] can contain user-supplied input. XSS attacks are possible, if you output the value directly.

Re: Question about $_SERVER['request_uri']

Posted: Tue Sep 15, 2009 10:51 am
by jackpf
A bit off topic..

But I currently record the URI each user is on on my website, so I can do stuff like see how many people are viewing certain threads etc...

I just insert $_SERVER['REQUEST_URI'] into the database. But one person had "http://www.yahoo.com" as their URI in the db 8O

I've always wondered how that got there...

But yes, the URI consists of user supplied data...so cannot be guaranteed as safe.

Re: Question about $_SERVER['request_uri']

Posted: Tue Sep 15, 2009 12:22 pm
by Mordred
Depending on the server configuration, it is possible to send a request for yahoo.com and be handled on your server - either modify the Host: header or list the IP of the server in question in the hosts file for yahoo.com.

Re: Question about $_SERVER['request_uri']

Posted: Tue Sep 15, 2009 1:22 pm
by 0sinner
Wow thanks for the explosion of responses. Lots of information.

@nitin2020, I'll try to go to your site to contact you, but I'd like to hear more from you about this.

@Eric! I wasn't actually thinking about an XSS attack when asking this question. Just I seem to be doing a tonne of validation on forms for everything submitted by the user from a possible custom form, and I'm wondering what php-side variables are influenced by the user so that I can validate them as well.

@Mordred, like I said to Eric, I'm not really sure how the 'REQUEST_URI' is used in XSS attacks, but I will definitely be googling it now to check if any of my pages are vulnerable.

@jackpf, that is very interesting. I wonder if I should account for such things. I was going to validate the 'REQUEST_URI' using a regex. I don't mind if people get rerouted to my page for one reason or another so I think I will support that type of 'REQUEST_URI'. Definitely something I need to consider. Thanks for your input.

@Mordred(again). Would it really depend on the server configuration? Wouldn't the clients hosts file be in question? I'm unsure what you mean by "modify the Host: header" as that may be a little low-level technical for my knowledge, but I would like it if you expanded on that.

Re: Question about $_SERVER['request_uri']

Posted: Tue Sep 15, 2009 6:46 pm
by Eric!
Shesh, was I stupid. I thought REQUEST_URI came strictly from the server and was like SCRIPT_NAME. But no. It still passes on the query crap from the user. So I played with it a bit and found it has the same xss problems as $_SERVER['PHP_SELF'].

@0sinner How the XSS works is if you echo either PHP_SELF or REQUEST_URI it will carry through the query string.

So if in your code you have a raw
echo $_SERVER['REQUEST_URI']; // no filtering of the data

And someone goes to your page with
http://example.com/testpage.php?%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E

They get to run their stuff on your server. (In this example a harmless <script>alert('xss')</script> )

@jack do you get domain info with your path or did the domain just get inserted in the query part?

Re: Question about $_SERVER['request_uri']

Posted: Wed Sep 16, 2009 5:40 am
by jackpf
I don't think I have the record any more...I must have cleared my logs since then.

But I think it was just "http://www.yahoo.com". I would have thought that if it was a valid request, it would be at least "/http://www.yahoo.com" (notice the forward slash at the beginning), since if someone just visited "jackpf.co.uk/", then $_SERVER['REQUEST_URI'] would == "/"...but who knows.

I think it's just one of those unexplicable mysteries 8O