{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 你好瞎i 的问题《$_SERVER['PHP_SELF'] vulnerability not “wo》','https://www.manongdao.com/q-1070201.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Looking at an old code of a client, he's using
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" />
I was wondering if it was subject to XSS, but when I try :
form.php"><script>alert('xss');</script>=> 404 NOT FOUND from Apacheform.php/"><script>alert('xss');</script>=> 404 From my app
I must specify that I also use ?action=specific_page in the url for its normal use.
Does that mean no XSS is possible using PHP_SELF or does that mean I'm trying it the wrong way?
If your form is at
form.phpscript, try accessing it with an url in the browser likehttp://yoursite.com/form.php/"><script>alert('XSS')</script>to see if it is vulnerable to injection.If it doesn't do anything, your configuration prevents this, at least for this specific file.
(Of course, you should use something like
htmlspecialchars($_SERVER['SCRIPT_NAME'])anyway.)