Re: [Full-disclosure] Apache/PHP REQUEST_METHOD XSS Vulnerability

On Tue, 2007-04-24 at 20:03 +0300, عبد الله احمد عنان wrote:
This is a case of poor-programming, on the script coder's part, it is
not so
much a vunerability.

In that case, nobody's talking about vulnerabilities on this list, only
poor programming. :)

The problem in here is that the programmer "assumes" that the variables
do have a proper value checking done prior to handling off to the script
engine. HTTP_METHOD is well defined. One would assume apache has
validated the method somehow.

Unfortunately, this assumption was flawed.

That variable only contains what it is sent by apache. it doesn't
parse it.
nor is it supposed to.

However, it (apache) should perform integrity checks, because it has the
capacity to do so.

This CAN be a vulnerability with individual scripts, however, it is
not a vuln
with PHP or Apache.

Not with PHP. But I would agree with the original programmer that apache
is in fault here. Apache should have done the expected work, and
validated that the request was standards-compliant. It didn't, and that
opens up a huge chasm in which plenty of problems, vulnerabilities and
others, may hide.


--
Vincent ARCHER
varcher@xxxxxxxxxxx

Tel : +33 (0)1 40 07 47 14
Fax : +33 (0)1 40 07 47 27
Deny All - 23, rue Notre Dame des Victoires - 75002 Paris - France

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages
Quantcast