vulnwatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[VulnWatch] Apache/PHP REQUEST_METHOD XSS Vulnerability

from [Michal Majchrowicz] [Permanent Link][Original]
To: vulnwatch@vulnwatch.org, vulndiscuss@vulnwatch.org, full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Subject: [VulnWatch] Apache/PHP REQUEST_METHOD XSS Vulnerability
From: "Michal Majchrowicz" <m.majchrowicz@gmail.com>
Date: Mon, 23 Apr 2007 23:31:34 +0200
Delivered-to: sp-com-lists@consult.net
Delivered-to: vulnwatch-list@securepoint.com
Delivered-to: mailing list vulnwatch@vulnwatch.org
Delivered-to: moderator for vulnwatch@vulnwatch.org
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=QfR3Zkv7xPzDlnIzE9Ew5g1U92B4GdmBsFWVFp+Po6SCTYJm6HzVzQ/+nLh+Khqa4qJyWmip15qnNG+XqhIF8PVldHngC5afBiCsq2fSLMzCCC3wFHQRKtRC2Gz4F0PE83YVE0efVJuZgQ2STr200UQVeN0uX22IP9UuRpe82LI=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=My4qf7sK21bTUr8sBTnsJsgxTTyJ0xjeYxvFctQn0so39yLOGz6ACfumY4iZotEXBRNRpKN4WNHAhyBAZbX2IsTnQotRooIYBSPDbfrPFNVbA99NIwAfvR5yByBcHmKIM32A8yvKlx6Bx7t6/x4b6sJOCa5toDXF4THhusHSLVA=
List-help: <mailto:vulnwatch-help@vulnwatch.org>
List-post: <mailto:vulnwatch@vulnwatch.org>
List-subscribe: <mailto:vulnwatch-subscribe@vulnwatch.org>
List-unsubscribe: <mailto:vulnwatch-unsubscribe@vulnwatch.org>
Mailing-list: contact vulnwatch-help@vulnwatch.org; run by ezmlm
Sender: mmajchrowicz@gmail.com 
There exist a flaw in a way how Apache and php combination handle the
$_SERVER array.
If the programmer writes scrip like this:
<?php
             echo $_SERVER['REQUEST_METHOD'];
?>
He will assume that REQUEST_METHOD can only by: GET,POST,OPTIONS,TRACE
and all that stuff. However this is not true, since Apache accepts
requests that look like this:
GET<script>alert(document.coookie);</script> /test.php HTTP/1.0
And the output for this would be:
GET<script>alert(document.coookie);</script>
Of course it is hard to exploit (I think some Flash might help ;)) and
I don't know if it is exploitable at all. But programmers should be
warned about this behaviour. You can't trust any  variable in the
$_SERVER table!
Regards Michal Majchrowicz.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [VulnWatch] Apache/PHP REQUEST_METHOD XSS Vulnerability, Michal Majchrowicz <=
Previous by Date:  [VulnWatch] iDefense Security Advisory 04.20.07: Check Point Zone Labs SRESCAN IOCTL Local Privilege Escalation Vulnerability, iDefense Labs
Next by Date:  [VulnWatch] Apache Illegal Request Handling Possible XSS Vulnerability, Michal Majchrowicz
Previous by Thread:  [VulnWatch] iDefense Security Advisory 04.20.07: Check Point Zone Labs SRESCAN IOCTL Local Privilege Escalation Vulnerability, iDefense Labs
Next by Thread:  [VulnWatch] Apache Illegal Request Handling Possible XSS Vulnerability, Michal Majchrowicz
Indexes:  [Date] [Thread] [Top] [All Lists]