dongzhang0418 2012-11-06 09:23
浏览 57
已采纳

$ _SERVER ['PHP_SELF']漏洞不“正常”?

Looking at an old code of a client, he's using

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" />

I was wondering if it was subject to XSS, but when I try :

  • form.php"><script>alert('xss');</script> => 404 NOT FOUND from Apache
  • form.php/"><script>alert('xss');</script> => 404 From my app

I must specify that I also use ?action=specific_page in the url for its normal use.

Does that mean no XSS is possible using PHP_SELF or does that mean I'm trying it the wrong way?

  • 写回答

1条回答 默认 最新

  • dongpa5207 2012-11-06 09:40
    关注

    If your form is at form.php script, try accessing it with an url in the browser like http://yoursite.com/form.php/"><script>alert('XSS')</script> to see if it is vulnerable to injection.

    If it doesn't do anything, your configuration prevents this, at least for this specific file.

    (Of course, you should use something like htmlspecialchars($_SERVER['SCRIPT_NAME']) anyway.)

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 HFSS 中的 H 场图与 MATLAB 中绘制的 B1 场 部分对应不上
  • ¥15 如何在scanpy上做差异基因和通路富集?
  • ¥20 关于#硬件工程#的问题,请各位专家解答!
  • ¥15 关于#matlab#的问题:期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707,使系统具有较小的超调量
  • ¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
  • ¥30 截图中的mathematics程序转换成matlab
  • ¥15 动力学代码报错,维度不匹配
  • ¥15 Power query添加列问题
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 報錯:Person is not mapped,如何解決?