PHP $_SERVER variables are not safe for use in forms, links

Yevonsouls — Wed, 23 Sep 2009 14:06:12 +0000

A common security mistake I see WordPress plugin authors (and PHP coders in general) make is using $_SERVER['PHP_SELF'] or $_SERVER['REQUEST_URI'] as the action of a form or part of an anchor’s href attribute. This is not safe to do, and opens your code up to XSS (cross-site scripting) exploits.

Common example:

<form action="php echo $_SERVER['PHP_SELF']; ?>">


Another example:


<a href="php echo $_SERVER['PHP_SELF']' ?>?foo=bar">link titlea>



Here are my two rules regarding $_SERVER['PHP_SELF'] or $_SERVER['REQUEST_URI'] in forms:

Do not use them
If you use one of them, escape it with esc_url()

Most uses of $_SERVER['PHP_SELF'] and $_SERVER['REQUEST_URI'] are in HTML forms. If you want the action attribute to point to the current URL, leave it blank. URI references that are blank point to the current resource.


<form action="">


If you do want to specify the action (and there are good reasons for wanting to do that, such as stripping the query string from the current URL), you must run it through esc_url().


<form action="php echo esc_url( $_SERVER['PHP_SELF'] ); ?>">



The same applies to links… run the href attribute through esc_url().


<a href="php echo esc_url( $_SERVER['PHP_SELF'] . '?foo=bar' ); ?>">link titlea>



A quick search through the WordPress Plugin Directory showed that this problem is far too common.
Updates:
Examples of URLs that could exploit this for double-quoted actions:
script.php/"%20onmouseover='alert(document.cookie)'
And single-quoted actions:
script.php/'%20onmouseover='alert(document.cookie)'
No, just using a plain old htmlentities() wrapper is not going to help! That’s still vulnerable to XSS in certain situations. If you’re not using WordPress, you should copy the WordPress escaping functions (just remove the apply_filters() portions).
If you are using the base tag, Safari will apply that base to the blank action attribute. So if you use the base tag (I never do), a blank action isn’t going to be for you. Use what you’ve been using, but escape it.
Lester Chan has a handy snippet for the form action of WordPress plugin settings pages:


<form action="php echo admin_url( 'admin.php?page=' . plugin_basename( __FILE__ ) ); ?>">



admin_url() takes care of escaping for you, and is an easy way to create a full WP admin URL from a wp-admin-relative URL.
Source:  http://markjaquith.wordpress.com/2009/09/21/php-server-vars-not-safe-in-forms-or-links/





A common security mistake I see WordPress plugin authors (and PHP coders in general) make is using $_SERVER['PHP_SELF'] or $_SERVER['REQUEST_URI'] as the action of a form or part of an anchor’s href attribute. This is not safe to do, and opens your code up to XSS (cross-site scripting) exploits.
Common example:


1.<form action="php echo $_SERVER['PHP_SELF']; ?>">



Another example:


1.<a href="php echo $_SERVER['PHP_SELF']' ?>?foo=bar">link titlea>



Here are my two rules regarding $_SERVER['PHP_SELF'] or $_SERVER['REQUEST_URI'] in forms:

Do not use them
If you use one of them, escape it with esc_url()

Most uses of $_SERVER['PHP_SELF'] and $_SERVER['REQUEST_URI'] are in HTML forms. If you want the action attribute to point to the current URL, leave it blank. URI references that are blank point to the current resource.


1.<form action="">


If you do want to specify the action (and there are good reasons for wanting to do that, such as stripping the query string from the current URL), you must run it through esc_url().


1.<form action="php echo esc_url( $_SERVER['PHP_SELF'] ); ?>">



The same applies to links… run the href attribute through esc_url().


1.<a href="php echo esc_url( $_SERVER['PHP_SELF'] . '?foo=bar' ); ?>">link titlea>



A quick search through the WordPress Plugin Directory showed that this problem is far too common.
Updates:
Examples of URLs that could exploit this for double-quoted actions:
script.php/"%20onmouseover='alert(document.cookie)'
And single-quoted actions:
script.php/'%20onmouseover='alert(document.cookie)'
No, just using a plain old htmlentities() wrapper is not going to help! That’s still vulnerable to XSS in certain situations. If you’re not using WordPress, you should copy the WordPress escaping functions (just remove the apply_filters() portions).
If you are using the base tag, Safari will apply that base to the blank action attribute. So if you use the base tag (I never do), a blank action isn’t going to be for you. Use what you’ve been using, but escape it.
Lester Chan has a handy snippet for the form action of WordPress plugin settings pages:


1.<form action="php echo admin_url( 'admin.php?page=' . plugin_basename( __FILE__ ) ); ?>">



admin_url() takes care of escaping for you, and is an easy way to create a full WP admin URL from a wp-admin-relative URL.






Share and Enjoy:


	
	
	
	
	
	
	
	
	
	
	
	
	



	Tags: congratulations, CSS, launched, mod news, mod updates, w3c compliance, Web Design, website launching, xhtml


	Related posts
	
	My Own Developer Launching! (3)
	960 Gridder: Easy to use layout design tool (0)
	The Beauty of CSS (1)
	6 New Web Technologies of 2009 You Need to Use Now (1)
	Do’s and Dont’s in web site building (0)

Freelance Web Developers » congratulations

PHP $_SERVER variables are not safe for use in forms, links

Related posts

My Own Developer Launching!

Related posts