dongzhang0418 2012-11-06 09:23

浏览 57

已采纳

$ _SERVER ['PHP_SELF']漏洞不“正常”？

Looking at an old code of a client, he's using

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" />

I was wondering if it was subject to XSS, but when I try :

form.php"><script>alert('xss');</script> => 404 NOT FOUND from Apache
form.php/"><script>alert('xss');</script> => 404 From my app

I must specify that I also use ?action=specific_page in the url for its normal use.

Does that mean no XSS is possible using PHP_SELF or does that mean I'm trying it the wrong way?

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
dongpa5207 2012-11-06 09:40
关注
If your form is at form.php script, try accessing it with an url in the browser like http://yoursite.com/form.php/"><script>alert('XSS')</script> to see if it is vulnerable to injection.

If it doesn't do anything, your configuration prevents this, at least for this specific file.

(Of course, you should use something like htmlspecialchars($_SERVER['SCRIPT_NAME']) anyway.)

本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

悬赏问题

¥15 HLs设计手写数字识别程序编译通不过
¥15 Stata外部命令安装问题求帮助！
¥15 从键盘随机输入A-H中的一串字符串，用七段数码管方法进行绘制。提交代码及运行截图。
¥15 TYPCE母转母，插入认方向
¥15 如何用python向钉钉机器人发送可以放大的图片？
¥15 matlab（相关搜索：紧聚焦）
¥15 基于51单片机的厨房煤气泄露检测报警系统设计
¥15 Arduino无法同时连接多个hx711模块，如何解决？
¥50 需求一个up主付费课程
¥20 模型在y分布之外的数据上预测能力不好如何解决