Trusting Your PHP.

Publicated on : 1195791539
You might have PHP running, because your host installed it for you. Or you installed it yourself. Ever looked at it? It is something I do regularly. When I am bored I go open the PHP source code and dissecting it's content. Today I questioned myself, does it have unsanitized XSS holes like hard coded PHP_SELF? of course it does. 19 files contained an unsanitized PHP_SELF tag. All of them test scripts or extensions. The thing is, who looks into it's source and removes the test files? I guess some. Other upload it to their server and just run it. One extension is called mnoGoSearch. Which can be Googled on: "Powered by mnoGoSearch". It shows again that you cannot trust a single thing, that's a harsh reality in security, wether it be minor flaws like this, or complex ones that aren't visible to the untrained eye.

mnoGoSearch flaw:
$temp_cp .= " &gt; <a href="$PHP_SELF?cat=$cp_path">$cp_name</a> ";
So when we Google it, we found the first willing victim pretty quickly:
http://www.sanitastroesch.ch/d/search.php/"><script>alert('x');</script>

Because it echoes PHP_SELF, I close the path with a slash: /"> and start the XSS.
Another PHP file is found in /sapi/servlet/cookies.php where it contains:
<form action="<?php echo $PHP_SELF ?>" method=POST>
More:
testsodbc-t2.php to testsodbc-t5.php
also contain such unsanitized tags.
Is that all? well no, not exactly.
It is easy to look for files that are uploaded unprotected. It can be anything, like PEAR packages:
http://idm.cctv.com/admin/libs/pear/PEAR/Frontend/CLI.php
So, we had the minor flaws, but if we look 5 minutes more we go to the honey instantly.
http://mari-biotech.nstl.gov.cn/ImageStorage/.php?action=view&file=../../ -sensitive file here-
You get the idea, I guess. If Google cannot find it we just use a remote server sweeping script, that check the existence of such files. Message is simple: remove it if you do not use it.