It was brought to my attention recently by a reader of the blog that there was a vulnerability in one of my posts (The email sending script). I dismissed it becuase PHP_SELF is a server variable but then he confirmed with a proof of concept.

I was not aware of this and generally my code is very clean and secure so I thought I’d blog about it becuase its something we should all be aware of! XSS is no something to take lightly although it is not as dangerous as remote file inclusion or sql injections there are serious security ramifications from the injection of javascript though xss.

Heres the code in question:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

<?php
// Enter your email
$to = "andrew@pryde-design.co.uk";
 
// Contact form
$form = "<form name="Email Form" method="post" action="".htmlentities($_SERVER["PHP_SELF"])."">Name<br />";
$form .= "<input type="text" name="name" /><br /><br />Subject<br />";
$form .= "<input type="text" name="subject" /><br /><br />Message<br />";
$form .= "<textarea name="msg" cols="50" rows="5"></textarea><br />";
$form .= "<input type="submit" name="Submit" value="Submit" /></form>";
 
// asks if the form been filled in
if (!empty($_POST["name"]) && !empty($_POST["subject"]) && !empty($_POST["msg"]))
{
//if it has send the data
if (mail($to,$_POST["subject"],$_POST["msg"]))
{
print "Message Sent!";
}
else
{
print "There was an error please contact " . $to . " via your mail cleint";
}
}
else
{
print $form;
}
?>

As you can see after Ausome’s comments I have added htmlentities to the script and there is no longer a problem but let me show you what happened before I added htmlentities.

At the end of the url (/ems.php) I added /”><script>alert(’xss’)</script> the html source ended up like this action=”/ems.php/”><script>alert(’xss’)</script>”> instead of action=”/ems.php”>.

Baslily the moral of this story is if in doubt phrase the variable!

Andrew (thanks to Asome1)