bootstrap uses PHP_SELF in conf_init and request_uri, as far as I can tell without filtering. This isn't safe. Is this getting filtered somewhere or somehow that I'm missing? If it isn't getting filtered elsewhere, adding htmlentities to these two functions would be an inelegant but sufficient (for security purposes) fix. See here for a discussion about not trusting PHP_SELF: http://blog.phpdoc.info/archives/13-guid.html
David Caylor wrote:
bootstrap uses PHP_SELF in conf_init and request_uri, as far as I can tell without filtering. This isn't safe. Is this getting filtered somewhere or somehow that I'm missing?
If it isn't getting filtered elsewhere, adding htmlentities to these two functions would be an inelegant but sufficient (for security purposes) fix.
See here for a discussion about not trusting PHP_SELF: http://blog.phpdoc.info/archives/13-guid.html
Like any responsible software project, Drupal does have a security@ address where such concerns should be sent to. Now all we need is responsible bug reporters... I am not sure that the reported use of PHP_SELF is a problem. Cheers, Gerhard
Looks to me like it is dependent on which version of PHP is being used. Older versions running Drupal might still be vulnerable. Using PHP 4.3.10, I was not able to duplicate any of the example XSS attacks.
participants (3)
-
Chris Johnson -
David Caylor -
Gerhard Killesreiter