Edit report at https://bugs.php.net/bug.php?id=62964&edit=1
ID: 62964
Comment by: david at nnucomputerwhiz dot com
Reported by: ymaryshev at ptsecurity dot ru
Summary: Cross-Site Scripting
Status: Open
Type: Bug
Package: *General Issues
Operating System: win
PHP Version: 5.4.6
Block user comment: N
Private report: N
New Comment:
I can't imagine this bug ever causing any real security problems but whenever
outputting anything to the browser that could contain html entities they should
be encoded. So php_info_print should probably be modified to use htmlentities
so
if it ever tried to print a '&' or '<' to the browser it will be displayed
properly.
Previous Comments:
------------------------------------------------------------------------
[2012-09-01 17:18:40] zyss at mail dot zp dot ua
Unfortunately most of PHP output functions are vulnerable in the same way...
For example, built-in echo function:
$a = "<script>alert('Positive')</script>";
echo $a; // echo IS VULNERABLE!!!11oneoneeleven
Seriously, healthy programmer never allows untrusted data (user input) to be
passed to stream_filter_register() as well as to other functions.
Moreover, phpinfo() should never be exposed.
------------------------------------------------------------------------
[2012-08-29 12:06:08] ymaryshev at ptsecurity dot ru
Description:
------------
An attacker can conduct cross-site scripting attack because of incorrect
implementation of php_info_print_stream_hash function in phpinfo in PHP.
Vulnerability exists in /ext/sqlite3/ info.c file. Here is the vulnerable code:
static void php_info_print_stream_hash(const char *name, HashTable *ht
TSRMLS_DC)
/* {{{ */ {
...
while (zend_hash_get_current_key_ex(ht, &key, &len,
NULL,
0, &pos) == HASH_KEY_IS_STRING)
{
php_info_print(key);
...
Test script:
---------------
<?php
stream_filter_register("<script>alert('Positive')</script>","a");
phpinfo();
?>
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=62964&edit=1
