A known XSS attack is using echo $_SERVER[‘PHP_SELF’] in forms. More about this problem on stack overflow. Anyhow, recently I have been working on a project, where I was to extend existing PHP code, and I noticed this vulnerability to be present in the code. As this is a case of “replace string in all files”, this can be solved with a single command.
However, it sounded much simpler then it was. I must admit I have little experience with regular expressions, or the differences between the regular expressions in perl and sed, as the following expression worked in sed but not in perl. Another problem was escaping, especially in my previous failed attempt that was using -exec as find parameter.(As recommended here) That would need double escaping and such. Way too messy, therefore, xargs looks much cleaner. Anyhow, the following code is working:
$ find directory -name "*.php" -print | xargs sed -i "s/<?php echo \$_SERVER\['PHP_SELF'\]; ?>/<?php echo htmlspecialchars\(\$_SERVER\['PHP_SELF'\], ENT_QUOTES, 'utf-8'); ?>/g;"
I would not recommend this. Many newbies write statements like <form action="”> which is pointless, as ‘action’ may be omitted with similar behaviour (except the XSS)
A better possibility is searching through all $_SERVER[‘PHP_SELF’] instances and look whether it can be ommittted / changed. This also has the advantage that values stored in variables are found as well.
I would also be sceptical about such code. It shows that the maker is not familiar with common security vurnabilities and that the code needs a code-review by an expert.
The code involved using both POST and GET parameters. So it was something like
action=”< ?php echo $_SERVER['PHP_SELF']; ?>?controller=AdminListings&action=update”
It’s using the controller / model / view model. And it’s a pain in the ass if you ask me.
Well…. I don’t like the code… It’s called “Car Listing Script by ClassifiedsGeek.com”, and it appears to be being rather old.
I have written an own implementation for the visitor part of the website, but the admin part is still that old script. I would recommend writing my own admin panel for this as well.
I mean… what it is supposed to do is rather simple, and I bet I would have been able to write a better admin panel in the time I’ve needed to make modifications to this one.