From: max at jestsuper dot pl Operating system: FreeBSD PHP version: 4.3.11 PHP Bug Type: *General Issues Bug description: Bug in PHP 4.3.11 display_error.
Description: ------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Author: cXIb8O3(Maksymilian Arciemowicz) Date: 28.5.2005 from securityreason.com TEAM - --- 0. Bug in PHP 4.3.11 display_error. --- This bug can be danger, because someone can do xss and Phishing attack. Problem exist in display_errors.. Example php script: <?php include($_GET['varible']); ?> and now request is ?varible=XXX so can we see any error. - --- Warning: main(XXX): failed to open stream: No such file or directory in /www/dupa.php on line 2 Warning: main(): Failed opening 'XXX' for inclusion (include_path='.:') in /www/dupa.php on line 2 - --- Normal. But now varible have for example <h1>SR</h1> And error messages is: - --- Warning: main( SR ): failed to open stream: No such file or directory in /www/dupa.php on line 2 Warning: main(): Failed opening '<h1>SR</h1>' for inclusion (include_path='.:') in /www/dupa.php on line 2 - --- So XSS... Danger can be tag <script> <iframe>, because you can see cookies etc. For example. ?varible=<script>alert(document.cookie);</script> And have you cookies from this domain! This XSS is critical, because exist in display_error and hacker can do XSS and Phishing attack. For example, if this bug exist in a Bank site... hacker can create <FORM> or mirror site... - --- 1.Contact --- Author: Maksymilian Arciemowicz < cXIb8O3 > Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com GPG-KEY: securityreason.com TEAM -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCmIWvznmvyJCR4zQRAuqtAKCcyXWQnMdPvCn+6+npQiGEbXvAZwCgq172 +J8w9EzGFE49sXxP1MPbSfI= =QksY -----END PGP SIGNATURE----- Actual result: -------------- XSS -- Edit bug report at http://bugs.php.net/?id=33173&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=33173&r=trysnapshot4 Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=33173&r=trysnapshot50 Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=33173&r=trysnapshot51 Fixed in CVS: http://bugs.php.net/fix.php?id=33173&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=33173&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=33173&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=33173&r=needscript Try newer version: http://bugs.php.net/fix.php?id=33173&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=33173&r=support Expected behavior: http://bugs.php.net/fix.php?id=33173&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=33173&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=33173&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=33173&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=33173&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=33173&r=dst IIS Stability: http://bugs.php.net/fix.php?id=33173&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=33173&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=33173&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=33173&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=33173&r=mysqlcfg
