ID: 28946
User updated by: ripe at 7a69ezine dot org
Reported By: ripe at 7a69ezine dot org
Status: Bogus
Bug Type: Apache2 related
Operating System: Gentoo Linux
PHP Version: 4.3.6
New Comment:
Trying to include no-existing HELO.inc file apache returns
tome this HTML code:
<b>Warning</b>: main(HELO.inc): failed to open stream: No
such file or directory in
<b>/home/apuigsech/public_html/data/v.php</b> on line
<b>3</b><br />
¿Who write this error code? I think that it's
written by mod_php, but i'm noyt sure at all cause i have
no readed php4 source code.
Previous Comments:
------------------------------------------------------------------------
[2004-06-28 21:38:03] [EMAIL PROTECTED]
Sorry, but your problem does not imply a bug in PHP itself. For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.
Thank you for your interest in PHP.
It is up to the developer to handle such issues.
------------------------------------------------------------------------
[2004-06-28 12:03:29] ripe at 7a69ezine dot org
Description:
------------
There is a cross-site scripting on mod_php error's
page that allow to execute javascript stuff.
You can reproduce the error following this
step-by-step:
1/ create a page with this content.
<? include($_GET['inc'] ?>
2/ Try http://host/file.php?inc=<script>alert()</script>
3/ An alert() popup is opened.
It can allow, on a not-well coded websites, to
change an inofensive error (yes, I know that an include is
not inofensive but its only the example) to potential XSS
error that can allow a malicious user, using a litle
social engineering, to seize a cookie session or other
data.
Expected result:
----------------
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=28946&edit=1
