Edit report at https://bugs.php.net/bug.php?id=62964&edit=1
ID: 62964 Updated by: fel...@php.net Reported by: ymaryshev at ptsecurity dot ru Summary: Cross-Site Scripting -Status: Open +Status: Closed Type: Bug Package: *General Issues Operating System: win PHP Version: 5.4.6 Block user comment: N Private report: N New Comment: Automatic comment on behalf of felipe...@gmail.com Revision: http://git.php.net/?p=php-src.git;a=commit;h=41b73e4cee9ce68b8b78a00eddd4322b0d48dd06 Log: - Fixed bug #62964 (Possible XSS on "Registered stream filters" info) patch by: david at nnucomputerwhiz dot com Previous Comments: ------------------------------------------------------------------------ [2012-09-14 05:59:28] david at nnucomputerwhiz dot com Added patch. It's a really simple change to use php_info_print_html_esc when appropriate. We do the same thing with other functions like php_print_gpcse_array() ------------------------------------------------------------------------ [2012-09-14 05:35:31] david at nnucomputerwhiz dot com I can't imagine this bug ever causing any real security problems but whenever outputting anything to the browser that could contain html entities they should be encoded. So php_info_print should probably be modified to use htmlentities so if it ever tried to print a '&' or '<' to the browser it will be displayed properly. ------------------------------------------------------------------------ [2012-09-01 17:18:40] zyss at mail dot zp dot ua Unfortunately most of PHP output functions are vulnerable in the same way... For example, built-in echo function: $a = "<script>alert('Positive')</script>"; echo $a; // echo IS VULNERABLE!!!11oneoneeleven Seriously, healthy programmer never allows untrusted data (user input) to be passed to stream_filter_register() as well as to other functions. Moreover, phpinfo() should never be exposed. ------------------------------------------------------------------------ [2012-08-29 12:06:08] ymaryshev at ptsecurity dot ru Description: ------------ An attacker can conduct cross-site scripting attack because of incorrect implementation of php_info_print_stream_hash function in phpinfo in PHP. Vulnerability exists in /ext/sqlite3/ info.c file. Here is the vulnerable code: static void php_info_print_stream_hash(const char *name, HashTable *ht TSRMLS_DC) /* {{{ */ { ... while (zend_hash_get_current_key_ex(ht, &key, &len, NULL, 0, &pos) == HASH_KEY_IS_STRING) { php_info_print(key); ... Test script: --------------- <?php stream_filter_register("<script>alert('Positive')</script>","a"); phpinfo(); ?> ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=62964&edit=1
