Reported Potential XSS Exploit

Mon, 18 Feb 2008 20:36:55 +0000

Before anyone starts getting worked into a panic over a recent security alert, allow me to remark on allegations that this is an Etomite-specific exploit... I have no problems with resolving what is a true Etomite-specific threat but I do not appreciate having Etomite being made out to be THE threat... If the server that Etomite is running on has proper security measures in place then there is no threat... If, however, the server doesn't have proper security measures in place then many PHP scripts are potentially exploitable...

The threat itself was inaccurately described and it took me a while to figure out exactly what was going on... Alerts were stating that the $_SERVER['PHP_INFO'] variable, which doesn't even exist, is the culprit... The variable in question is actually $_SERVER['PHP_SELF']... If anyone wants to insure that their system is not vulnerable to exploit attempts they can do so be simply adding the following line into their index.php parser file... I have tested Etomite with this line both as the first line of code, directly below the opening tag as well as at the bottom of the script, directly above the comment line // first, set some settings, and do some stuff and both work equally well... At the top of the script is probably the easiest...

$_SERVER["PHP_SELF"] = htmlentities($_SERVER["PHP_SELF"]);

While the potential for Cross Server Scripting is somewhat remote, it can't hurt to have this extra line of code in place... The link to the best, yet still inaccurate, explanation is located at http://www.securityfocus.com/archive/1/488122 for anyone interested...

While only a remote possibility, I cannot assure anyone that this patch will not have potentially adverse effects on snippet functionality... I have been running tests on my development sites, only one of which is open to the vulnerability, and have had no problems as of yet...

Etomite Security Announcements

Reported Potential XSS Exploit

Subscribe to Announcements