$_SERVER['PHP_SELF'] 漏洞不“工作"? [英] $_SERVER['PHP_SELF'] vulnerability not "working"?
问题描述
查看客户的旧代码,他正在使用
Looking at an old code of a client, he's using
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" />
我想知道它是否受到 XSS 的影响,但是当我尝试时:
I was wondering if it was subject to XSS, but when I try :
form.php"><script>alert('xss');</script>
=> 404 NOT FOUND from Apacheform.php/"><script>alert('xss');</script>
=> 404 来自我的应用
form.php"><script>alert('xss');</script>
=> 404 NOT FOUND from Apacheform.php/"><script>alert('xss');</script>
=> 404 From my app
我必须指定我还在 url 中使用 ?action=specific_page 以供其正常使用.
I must specify that I also use ?action=specific_page in the url for its normal use.
这是否意味着使用 PHP_SELF
不可能出现 XSS,还是意味着我以错误的方式尝试它?
Does that mean no XSS is possible using PHP_SELF
or does that mean I'm trying it the wrong way?
推荐答案
如果您的表单位于 form.php
脚本中,请尝试使用浏览器中的 url 访问它,例如 http://yoursite.com/form.php/"><script>alert('XSS')</script>
看看它是否容易被注入.
If your form is at form.php
script, try accessing it with an url in the browser like http://yoursite.com/form.php/"><script>alert('XSS')</script>
to see if it is vulnerable to injection.
如果它没有做任何事情,您的配置会阻止这种情况,至少对于这个特定文件.
If it doesn't do anything, your configuration prevents this, at least for this specific file.
(当然,你应该使用类似 htmlspecialchars($_SERVER['SCRIPT_NAME'])
的东西.)
(Of course, you should use something like htmlspecialchars($_SERVER['SCRIPT_NAME'])
anyway.)
这篇关于$_SERVER['PHP_SELF'] 漏洞不“工作"?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!