XSS via environment variables in PHP

If you ever been at least a bit interested in security of web apps, you must have heard about XSS. You know probably that you need to sanitize any user input, but what isn’t that much clear is that $_SERVER by no means should be trusted entirely.

HTTP_X_FORWARDED_FOR, HTTP_REFERER, any HTTP_USER_*, in some cases even HTTP_HOST, PATH_INFO may be all (usually easily) modified by user. Most of them usually come from an user agent only (browser or whatever, you never know, don’t you?).

Actually $_SESSION should not be trusted sometimes either. If your app is on shared hosting and you store session data in /tmp directory (which is default), other users can get access to it and modify it to whatever they want… or just steal it. Pretty nasty, huh?

  1. by sobstel • May 2011