ID: 28946 Updated by: [EMAIL PROTECTED] Reported By: ripe at 7a69ezine dot org -Status: Open +Status: Bogus Bug Type: Apache2 related Operating System: Gentoo Linux PHP Version: 4.3.6 New Comment:
Sorry, but your problem does not imply a bug in PHP itself. For a list of more appropriate places to ask for help using PHP, please visit http://www.php.net/support.php as this bug system is not the appropriate forum for asking support questions. Thank you for your interest in PHP. It is up to the developer to handle such issues. Previous Comments: ------------------------------------------------------------------------ [2004-06-28 12:03:29] ripe at 7a69ezine dot org Description: ------------ There is a cross-site scripting on mod_php error's page that allow to execute javascript stuff. You can reproduce the error following this step-by-step: 1/ create a page with this content. <? include($_GET['inc'] ?> 2/ Try http://host/file.php?inc=<script>alert()</script> 3/ An alert() popup is opened. It can allow, on a not-well coded websites, to change an inofensive error (yes, I know that an include is not inofensive but its only the example) to potential XSS error that can allow a malicious user, using a litle social engineering, to seize a cookie session or other data. Expected result: ---------------- ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=28946&edit=1
