Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Apache/PHP REQUEST_METHOD XSS Vulnerability

from [Michal Majchrowicz] Network Security [Permanent Link]
Subject: [Full-disclosure] Apache/PHP REQUEST_METHOD XSS Vulnerability
Date: Mon, 23 Apr 2007 23:31:34 +0200 
There exist a flaw in a way how Apache and php combination handle the
$_SERVER array.
If the programmer writes scrip like this:
<?php
              echo $_SERVER['REQUEST_METHOD'];
?>
He will assume that REQUEST_METHOD can only by: GET,POST,OPTIONS,TRACE
and all that stuff. However this is not true, since Apache accepts
requests that look like this:
GET<script>alert(document.coookie);</script> /test.php HTTP/1.0
And the output for this would be:
GET<script>alert(document.coookie);</script>
Of course it is hard to exploit (I think some Flash might help ;)) and
I don't know if it is exploitable at all. But programmers should be
warned about this behaviour. You can't trust any  variable in the
$_SERVER table!
Regards Michal Majchrowicz.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Apache/PHP REQUEST_METHOD XSS Vulnerability, Michal Majchrowicz <=
Previous by Date:  [Full-disclosure] iDefense Security Advisory 04.20.07: Check Point Zone Labs SRESCAN IOCTL Local Privilege Escalation Vulnerability, iDefense Labs
Next by Date:  Re: [Full-disclosure] Apache Illegal Request Handling Possible XSS Vulnerability, Richard Moore
Previous by Thread:  [Full-disclosure] iDefense Security Advisory 04.20.07: Check Point Zone Labs SRESCAN IOCTL Local Privilege Escalation Vulnerability, iDefense Labs
Next by Thread:  [Full-disclosure] Apache Illegal Request Handling Possible XSS Vulnerability, Michal Majchrowicz
Indexes:  [Date] [Thread] [Top] [All Lists]