How “tamper proof” is the $_SERVER variable in php?

How “tamper proof” is the $_SERVER variable in php?

Would I be taking a big security risk by trusting the content of the $_SERVER variable array to get the name of php file using $_SERVER[‘PHP_SELF’]?

Solutions/Answers:

Solution 1:

Many but not all of the $_SERVER variables are attacker controlled. For instance $_SERVER['SCRIPT_NAME'] is safe where as $_SEVER['PHP_SELF'] is a vary dangerous variable and is often the source of xss:

<?php
echo $_SEVER['PHP_SELF'];
?>

PoC:

http://localhost/self.php/<script>alert(/xss/)</script>

It is easy to see this vulnerability in action by looking at phpinfo.

Solution 2:

There is no special mechanism in effect to protect this variable. You can write to it as you can to any other variable. So you have to protect it against tampering like any other variable (disable register_globals, avoid variable variables, etc.). Then you can trust it.

As a workaround to be sure, you can define your own constants early in your program:

define('SCRIPT_FILENAME',$_SERVER['SCRIPT_FILENAME']);

and use predefined constants where available, e.g. __FILE__.

Solution 3:

From the php.net manual:

The entries in this array are created by the web server. There is no guarantee that every web server will provide any of these; servers may omit some, or provide others not listed here.

So, if you are aware of all users who have access to change server configuration, (and all scripts in your session that may modify the contents of the variable) you can be reasonably sure of the $_SERVER variable’s data.

Solution 4:

Not at all, this can not actually be a risk at all as long as you don’t use data from user. That is, use one of these:

echo __FILE__;
// is the same as
echo $_SERVER["SCRIPT_FILENAME"];

echo $_SERVER["SCRIPT_NAME"];
// SCRIPT_NAME contains just the path

Related:  How secure is it to call “secret” URLs in an iOS app?

References