3

In PHP, Remote file inclusion can be conducted via input from $_GET, $_POST, $_COOKIE. I know it is improbable, but is it possible (by any chance) to fake the value come out of $_SERVER?

I mean, can $_SERVER become the source of Remote file inclusion even on rare occasion?

Googlebot
  • 15,159
  • 44
  • 133
  • 229
  • possible duplicate of [Which $_SERVER variables are safe?](http://stackoverflow.com/questions/6474783/which-server-variables-are-safe) – rook Jan 10 '12 at 15:52

2 Answers2

3

$_SERVER is an array containing information on paths used to access the request, headers etc.

A number of the values are directly set and manipulated by the user (such as QUERY_STRING) so it is potentially vulnerable in exactly the same way as $_GET and $_POST. That depends on how you use those values in your own code though.

Did you have a specific index of $_SERVER in mind that you wouldn't want faking?

Nick Downton
  • 178
  • 7
  • My focus is on server definition values such as DOCUMENT_ROOT, SERVER_NAME, PHP_SELF, etc. These can be used to locate a local php file for `include`. – Googlebot Jan 10 '12 at 11:29
  • PHP_SELF is certainly not to be trusted. try creating a file echoing it and requesting it like so. "domain.com/phpselfecho.php/anyrandompieceoftext". It's much better to use SCRIPT_NAME – Nick Downton Jan 10 '12 at 11:58
  • @Nick Downton: but that's a XSS vulnerability – symcbean Jan 10 '12 at 13:22
  • Yes, in that instance, but it's certainly worth highlighting. I also don't think it is immediately obvious where that value is obtained from i.e. the user's input. If you really are using php_self in an include(), then the user potentially has the opportunity to alter what you are including. – Nick Downton Jan 10 '12 at 13:57
1

Yes, it's possible to manipulate some of the values in $_SERVER.

However an LFI relies on the attacker being able to inject a reference to the code to be executed and get PHP to execute that code. Unless you intend to ignore everything other than the URL sent in every request (i.e. you are running a static site) then you'll get a lot more mileage out of focussing your efforts on how code referenced by a variable is being invoked.

symcbean
  • 47,736
  • 6
  • 59
  • 94