$_SERVER injections

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
SidewinderX
Forum Contributor
Posts: 407
Joined: Fri Jul 16, 2004 9:04 pm
Location: NY

$_SERVER injections

Post by SidewinderX »

Is it possible to inject code using $_SERVER variables? In my code I have

Code: Select all

$ipaddr = $_SERVER['REMOTE_ADDR'];
and $ipaddr is used in a query, I was wondering if this is any type of security risk as GET and POST variables are.
toasty2
Forum Contributor
Posts: 361
Joined: Wed Aug 03, 2005 10:28 am
Location: Arkansas, USA

Post by toasty2 »

No. (Well, not by a website user at least)
miro_igov
Forum Contributor
Posts: 485
Joined: Fri Mar 31, 2006 5:06 am
Location: Bulgaria

Post by miro_igov »

But it will not harm if you escape all variables you pass to the query.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

Yes, it's possible. Not with REMOTE_ADDR to my knowledge, but many variables in $_SERVER are under the control of an attacker.

Anyway, miro_igov is right, you must always escape everything, no matter where it comes from.
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

A lot of what is in $_SERVER is tainted. Anything beginning with HTTP for a start. If you are using name-based virtual hosts HTTP_HOST is safe because it has already been white-listed by Apache but that's an exception. PHP_SELF is not safe.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

$_SERVER should be treated like $_GET, $_POST, and $_COOKIE. It can all be altered by the usre, so you must treat it as though it can be altered by the user.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

All the variables are added via ap_add_cgi_vars and ap_add_common_vars in apache.. Thus as soon as you can modify these, you can influence what goes into PHP's $_SERVER ;)
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

ole wrote:PHP_SELF is not safe.
I couldn't understand why.

Code: Select all

<form action='<? echo $_SERVER['PHP_SELF']; ?>' ....
What could be the exploit/injection in the code above? Can you give me an example - I am really confused.
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

Thank's! :)

So, we have this issue only when using mod_rewrite, right?
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

uh, no.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

VladSun wrote:Thank's! :)

So, we have this issue only when using mod_rewrite, right?
How did you go from XSS to mod_rewrite?
User avatar
stereofrog
Forum Contributor
Posts: 386
Joined: Mon Dec 04, 2006 6:10 am

Post by stereofrog »

VladSun wrote: So, we have this issue only when using mod_rewrite, right?
No, it's another apache feature, AcceptPathInfo. Setting it to On (default, IIRC) tells Apache to accept requests like "index.php/no/such/path".
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

@superdezign - my mistake, I missunderstood the example.

@stereofrog - thank you for explaining :)
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Post by shiflett »

ole wrote:If you are using name-based virtual hosts HTTP_HOST is safe because it has already been white-listed by Apache but that's an exception.
I'm pretty sure that's not the case for the default host, so that exception is worth mentioning.

I treat everything in $_SERVER as input just like anything else, because there are too many edge cases, and because defense in depth never hurt anyone. :-)
Post Reply