[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060921073033.GA5158@westend.com>
Date: Thu, 21 Sep 2006 09:30:33 +0200
From: Christian Hammers <ch@...tend.com>
To: gmdarkfig@...il.com
Cc: bugtraq@...urityfocus.com
Subject: Re: mysql_error() can lead to Cross Site Scripting attacks
Hello DarkFig
As in the PHP bug report written, too, the bug here is not in the
mysql_error() function but in the program that writes its output on a HTML
page without proper escaping with htmlentities() or htmlspecialchars().
mysql_error() is not limited to web programming, it is used in console
scripts, too, that do not output HTML at all so it would be wrong if
mysql_error() would escape its output. Apart from the fact that SQL layer
functions should never mix up with the presentation layer.
BTW,
- you wrote "Vendor Status: Patched" although the bug was set to "Bogus"
and did not seem to have got any patch
- you wrote "No response from the PHP team" although there was a response
on 2006-09-06
bye,
-christian-
On Wed, Sep 20, 2006 at 12:47:54PM -0000, gmdarkfig@...il.com wrote:
> mysql_error() can lead to Cross Site Scripting attacks ========================================================
> Affected.scr..: PHP4 <= 4.4.4 PHP5 <= 5.1.6
> Advisory.ID...: 11060920
> Risk.level....: Low
> Vendor.Status.: Patched
> Src.download..: http://www.php.net/
> Adv.link......: acid-root.new.fr/advisories/11060920.txt
> ========================================================
>
>
> ==[ OVERVIEW
> ============
> PHP: Hypertext Preprocessor is an open source server side
> programming language extensively used for web scripts and to
> process data passed via the Common Gateway Interface from
> HTML forms etc. PHP can be written as scripts that reside on
> the server and may produce HTML output that downloads to the
> web browser. Alternatively, PHP can be embedded within HTML
> pages that are then saved with a .php file extension. The PHP
> sections of the page are then parsed by the PHP engine on the
> server and the PHP code stripped out before the page is
> downloaded to the web browser. The name is a bit of a
> programming joke (if there is sucha thing) since it's a
> recursive acronym i.e. the P in PHP stands for PHP.
>
>
> ==[ DETAILS
> ===========
> The goal of the mysql_error() function is to return the error
> text from the last MySQL function. This function can lead to
> Cross Site Scripting attacks. To conduct this attack, some
> parameters are required. If an mysql function use a bad parameter
> provided by the attacker and if the mysql_error() result is
> returned to the user, this can be exploited to conduct Cross
> Site Scripting attack. This can be useful if the attacker has
> a restricted access to an mysql function.
>
>
> ==[ POC/EXPLOIT
> ===============
> <?php //?db=<script>alert(666)</script>
> $link = mysql_connect("localhost", "root", "");
> mysql_select_db($db, $link);
> echo mysql_errno($link) . ": " . mysql_error($link). "\n";
> ?>
>
>
> ==[ LINKS
> =========
> Mysql functions list.: http://www.php.net/manual/en/ref.mysql.php
> Discussion on php.net: http://bugs.php.net/bug.php?id=38733&edit=2
>
>
> ==[ SOLUTION
> ============
> No response from PHP Team.
>
>
> ==[ TIMELINE
> ============
> 06. Sept. 2006 - Vendor contacted
> 20. Sept. 2006 - Public disclosure
>
>
> ==[ CONTACT
> ===========
> Author: DarkFig
> Web...: www.acid-root.new.fr
> E-mail: gmdarkfig[*]gmail[*]com (fr/en)
>
> Note: Tested on 4.4.3
>
--
Christian Hammers WESTEND GmbH | Internet-Business-Provider
Technik CISCO Systems Partner - Authorized Reseller
Lütticher Straße 10 Tel 0241/701333-11
ch@...tend.com D-52064 Aachen Fax 0241/911879
Powered by blists - more mailing lists