PHP_SELF and XSS

To make it safe to use you need to use htmlspecialchars().

<?php echo htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES, "utf-8"); ?>

See A XSS Vulnerability in Almost Every PHP Form I’ve Ever Written for how $_SERVER["PHP_SELF"] can be attacked.

It is indeed a XSS vulnerability. I do understand that you believe it may not harm your website, but this doesn't mean it is not real.

If you do not believe it, try the following:

We assume you have a page such as "registration.php".We assume you have a form where action is:

<?php echo $_SERVER['PHP_SELF']; ?>

as you put it down indeed:

<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">  <!-- form contents --></form>

Now simply append the string below

%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E

It is not actually hard to understand, because PHP_SELF is a reflection of the URL, your application will read whatever you put in the URL and echo it. It is simple as that.

htmlspecialchars should take care of the matter, no reason to dispute the evidence.

<form method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>">   <!-- form contents --></form>

However, even this is a first step in stealing a cookie, it's not that it take place automatically. Even if it's quite easy to craft the attack (as the attacker will register on your site and will see how the cookie looks...etc.), a series of other factors must be true to get to the point of having a cookie stealing situation. For instance, the cookie must not be expired. Than it depends of how complex the cookie is. Than maybe you have other precautions in placed on server, it doesn't have to be all authentication based on the presence of cookie!

While I do believe it is rather difficult and really bad programming for all conditions to met (even if yahoo.mail for example had such a vulnerability and if you look on internet you will find even the exploit and the cookie decoder), the XSS is real and who knows what a crafty attacker may do if your site suffer of it. The cure is simple...

The very article you linked gives you:

http://www.example.com/form.php/%22%3E%3Cscript%3Ealert(‘xss attack’)%3C/script%3E%3Cbr%20class=%22irrelevant

what's not clear?

Edit: this is an XSS attack because I can hide a link from my site to yours with some JS added to the URL which sends me your cookies so the moment you click that link, you are pwnd.