On Mon, 23 Oct 2006 10:38:31 -0700, in php.internals [EMAIL PROTECTED] (Rasmus Lerdorf) wrote:
>I had left out SERVER filtering in the initial version for much the same >reasoning, but it turns out that a good chunk of holes were due to the >fact that people used $_SERVER['REQUEST_URI'] unfiltered. Trying to >teach people which SERVER vars are safe and which aren't isn't a fun >task and the whole point of the filter extension is to take away the >guessing game. More well-known, the same goes for the HTTP headers populated in _SERVER as well, even though some might be less obvious than other. HTTP_HOST could be tainted as well in some cases where a DNS entry and ServerAlias of *.example.com exists. An attacker could trick a user into visiting www.%22%3EXSS.example.com which at least IE6 would accept as a valid URL. -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
