Re: php - inject code into $_SERVER ?

C. Church wrote:
> ----- Original Message ----- From: "exon" <exon@home.se>
>
> > > Don't trust any input from the user or their browser.
> >
> > Exactly. But trust the input from the server. You don't have much 
> > choice anyway, so it's a waste of time bothering about it.
>
>
>
> I disagree.  You never know when a new vulnerability will pop up 
> somewhere - maybe there's not a vulnerability today, but maybe there'll 
> be one tomorrow. Maybe it won't require "ownership" of a webserver, 
> maybe it'll be bad handling of data that wouldn't affect anything but 
> software using those SERVER variables...  It's _never_ a waste of time 
> to ask yourself whether or not a variable is safe, and since it's coming 
> from _outside_ of _your_ code, what's the trouble with adding a single 
> line to check the contents of the variable?

Because if an attacker can set environment variables to arbitrary values 
through a webserver exploit he/she can also modify other slices of 
memory making PHP-scripts the last of your worries. An exploit not 
requiring PHP to be installed and sending the $_SERVER provided 
variables will be infinitely easier to write (due to heap/stack offset 
reasons, where eip and such can be easily calculated but arbitrary 
variables cannot without some serious code injection) and more generic 
as well. In short; No idiot on earth would want to change the values of 
$_SERVER in hope that it will be used if they already have the 
possibility to execute arbitrary code.