PHP: Exploitation with $_REQUEST while validating $_GET

SecMyth

After learning to inspect security from all perspectives from Prof. Pfitzmann at the University, I am now working as Penetration tester and IT Security Consultant since 2009. I have seen many many different applications, architectures and technologies since then.
Web Applications, Web Services, Oracle, MySQL, Linux, SAP R3 are my focus technologies, while my activities are widely spreaded: manual penetration tests, static code analysis, code reviews, consulting, project management

While penetration testing and code reviewing a customer’s web-application I came across an interesting bug I’m going to describe in this article.

The application in question supports third party plugins which often follow their own coding-conventions.
During code review, a Cross-Site scripting vulnerability was detected in one of those plugins:

<?php
echo "<a href='index.php?plugin=".$_REQUEST['plugin']."'>Link text</a>";
?>

Continue reading “PHP: Exploitation with $_REQUEST while validating $_GET”