Page 1 of 1
$_SERVER injections
Posted: Sat Jul 28, 2007 9:49 pm
by SidewinderX
Is it possible to inject code using $_SERVER variables? In my code I have
Code: Select all
$ipaddr = $_SERVER['REMOTE_ADDR'];
and $ipaddr is used in a query, I was wondering if this is any type of security risk as GET and POST variables are.
Posted: Sun Jul 29, 2007 12:51 am
by toasty2
No. (Well, not by a website user at least)
Posted: Sun Jul 29, 2007 3:53 am
by miro_igov
But it will not harm if you escape all variables you pass to the query.
Posted: Sun Jul 29, 2007 4:50 am
by Mordred
Yes, it's possible. Not with REMOTE_ADDR to my knowledge, but many variables in $_SERVER are under the control of an attacker.
Anyway, miro_igov is right, you must always escape everything, no matter where it comes from.
Posted: Sun Jul 29, 2007 5:17 am
by Ollie Saunders
A lot of what is in $_SERVER is tainted. Anything beginning with HTTP for a start. If you are using name-based virtual hosts HTTP_HOST is safe because it has already been white-listed by Apache but that's an exception. PHP_SELF is not safe.
Posted: Sun Jul 29, 2007 8:46 am
by superdezign
$_SERVER should be treated like $_GET, $_POST, and $_COOKIE. It can all be altered by the usre, so you must treat it as though it can be altered by the user.
Posted: Sun Jul 29, 2007 4:33 pm
by timvw
All the variables are added via ap_add_cgi_vars and ap_add_common_vars in apache.. Thus as soon as you can modify these, you can influence what goes into PHP's $_SERVER

Posted: Mon Jul 30, 2007 5:47 am
by VladSun
ole wrote:PHP_SELF is not safe.
I couldn't understand why.
Code: Select all
<form action='<? echo $_SERVER['PHP_SELF']; ?>' ....
What could be the exploit/injection in the code above? Can you give me an example - I am really confused.
Posted: Mon Jul 30, 2007 6:06 am
by Ollie Saunders
Posted: Mon Jul 30, 2007 6:26 am
by VladSun
Thank's!
So, we have this issue only when using mod_rewrite, right?
Posted: Mon Jul 30, 2007 6:35 am
by Ollie Saunders
uh, no.
Posted: Mon Jul 30, 2007 8:21 am
by superdezign
VladSun wrote:Thank's!
So, we have this issue only when using mod_rewrite, right?
How did you go from XSS to mod_rewrite?
Posted: Mon Jul 30, 2007 9:31 am
by stereofrog
VladSun wrote:
So, we have this issue only when using mod_rewrite, right?
No, it's another apache feature, AcceptPathInfo. Setting it to On (default, IIRC) tells Apache to accept requests like "index.php/no/such/path".
Posted: Mon Jul 30, 2007 9:52 am
by VladSun
@superdezign - my mistake, I missunderstood the example.
@stereofrog - thank you for explaining

Posted: Thu Aug 02, 2007 10:25 pm
by shiflett
ole wrote:If you are using name-based virtual hosts HTTP_HOST is safe because it has already been white-listed by Apache but that's an exception.
I'm pretty sure that's not the case for the default host, so that exception is worth mentioning.
I treat everything in $_SERVER as input just like anything else, because there are too many edge cases, and because defense in depth never hurt anyone. :-)