Use the $ _ SERVER and $ _ SESSION variables to create various Backdoors

First, let's take a look at the php official manual's Annotation for $ _ SERVER ['path _ info']: This value is any PATH information submitted by the client, the value is after the actual Script Name and before the query string. For example, assume that the current url is http://www.bkjia.com /Php/path_info.php/some/stuff? Foo = bar, then the value of $ _ SERVER ['path _ info'] Is/some/stuff. Then let's look at the following code: test. php <? Php session_start (); var_dump ($ _ SESSION ['test']); echo '<br/> '; $ _ SESSION ['test'] = $ _ SERVER ['path _ info']; var_dump ($ _ SESSION ['test']);?> access url: http://localhost/test.php/a Return page: Notice: A session had already been started-ignoring session_start () in D: \ Apacheroot \ test. php on line 2 Notice: Undefined index: test in D: \ Apacheroot \ test. php on line 3 NULL string (2) "/B" refresh and return: Notice: A session had already been started-ignoring session_start () in D: \ Apacheroot \ test. php on line 2 string (7) "/notice" string (2) "/B" what's strange? After the refresh, var_dump ($ _ SESSION ['test']) returns/notice, which is the same as the address of the img tag. Why? The reason is that /test is loaded for browser access. php/notice, which triggers test. in php, the $ _ SERVER ['path _ info'] variable changes, and the session variable changes. Therefore, every time you refresh the page, $ _ SESSION ['test'] outputs notice. So what security risks will this cause? Any address in the img tag can be output to the webpage and valid in the session, which forms a natural (reflection + storage + dom type) XSS/CSRF, because the vast majority of security software only scans webshell, one-sentence Trojan, and other content, and does not scan js script content, it can avoid killing, other dangers can also be determined with the Environment