Bug#595248: Unescaped PHP_SELF XSS vulnerabilities in NuSOAP 0.9.5

Fri, 03 Sep 2010 07:57:21 -0700 

tags 595248 + patch
thanks

Hi.

Le vendredi 03 septembre 2010 à 15:37 +0200, Olivier Berger a écrit :

> After a quick analysis, I tend to believe that users of the standard PHP
> 5.3 apache module packages with "suhosin.server.strip On" are safe : the
> %3C and likes are converted to question marks ('?').
> 
> Still, this deserves some fixing.
> 
> > An upstream bug report exists at
> > http://sourceforge.net/projects/nusoap/forums/forum/193579/topic/3834005
> > and a preliminary patch has been provided by the MantisBT project (which
> > bundles NuSOAP) at: http://www.mantisbt.org/bugs/view.php?id=12312
> > 
> > 
> > 
> 

I'm not so sure the whole of the patch proposed by the Mantis team is
completely justified, and here's another alternative (shorter but
sufficiant I think). Still waiting for some opinion of upstream on this.

Any comments ?

Best regards,
-- 
Olivier BERGER <olivier.ber...@it-sudparis.eu>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)

diff --git a/lib/class.wsdl.php b/lib/class.wsdl.php
index f435e54..d3f7034 100644
--- a/lib/class.wsdl.php
+++ b/lib/class.wsdl.php
@@ -743,9 +743,11 @@ class wsdl extends nusoap_base {
     	global $HTTP_SERVER_VARS;
 
 		if (isset($_SERVER)) {
-			$PHP_SELF = $_SERVER['PHP_SELF'];
+		  // Avoid XSS injection in PHP_SELF
+		  $PHP_SELF = substr($_SERVER['PHP_SELF'], 0, (strlen($_SERVER['PHP_SELF']) - strlen($_SERVER['PATH_INFO'])));
 		} elseif (isset($HTTP_SERVER_VARS)) {
-			$PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];
+		  // Avoid XSS injection in PHP_SELF
+		  $PHP_SELF = substr($HTTP_SERVER_VARS['PHP_SELF'], 0, (strlen($HTTP_SERVER_VARS['PHP_SELF']) - strlen($HTTP_SERVER_VARS['PATH_INFO'])));
 		} else {
 			$this->setError("Neither _SERVER nor HTTP_SERVER_VARS is available");
 		}
diff --git a/lib/nusoap.php b/lib/nusoap.php
index a6dd21d..2860730 100644
--- a/lib/nusoap.php
+++ b/lib/nusoap.php
@@ -5222,9 +5222,11 @@ class wsdl extends nusoap_base {
     	global $HTTP_SERVER_VARS;
 
 		if (isset($_SERVER)) {
-			$PHP_SELF = $_SERVER['PHP_SELF'];
+		  // Avoid XSS injection in PHP_SELF
+		  $PHP_SELF = substr($_SERVER['PHP_SELF'], 0, (strlen($_SERVER['PHP_SELF']) - strlen($_SERVER['PATH_INFO'])));
 		} elseif (isset($HTTP_SERVER_VARS)) {
-			$PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];
+		  // Avoid XSS injection in PHP_SELF
+		  $PHP_SELF = substr($HTTP_SERVER_VARS['PHP_SELF'], 0, (strlen($HTTP_SERVER_VARS['PHP_SELF']) - strlen($HTTP_SERVER_VARS['PATH_INFO'])));
 		} else {
 			$this->setError("Neither _SERVER nor HTTP_SERVER_VARS is available");
 		}

Reply via email to