ID: 33173 Updated by: [EMAIL PROTECTED] Reported By: max at jestsuper dot pl -Status: Open +Status: Bogus Bug Type: *General Issues -Operating System: FreeBSD +Operating System: * -PHP Version: 4.3.11 +PHP Version: * New Comment:
Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php You're not supposed to pass the error information to your users. Show erros is only a convenience thing to aid you while developing. Thus no user will ever see such error messages. So in the end it is not usable for phishing and alike. Previous Comments: ------------------------------------------------------------------------ [2005-05-28 16:57:51] max at jestsuper dot pl Description: ------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Author: cXIb8O3(Maksymilian Arciemowicz) Date: 28.5.2005 from securityreason.com TEAM - --- 0. Bug in PHP 4.3.11 display_error. --- This bug can be danger, because someone can do xss and Phishing attack. Problem exist in display_errors.. Example php script: <?php include($_GET['varible']); ?> and now request is ?varible=XXX so can we see any error. - --- Warning: main(XXX): failed to open stream: No such file or directory in /www/dupa.php on line 2 Warning: main(): Failed opening 'XXX' for inclusion (include_path='.:') in /www/dupa.php on line 2 - --- Normal. But now varible have for example <h1>SR</h1> And error messages is: - --- Warning: main( SR ): failed to open stream: No such file or directory in /www/dupa.php on line 2 Warning: main(): Failed opening '<h1>SR</h1>' for inclusion (include_path='.:') in /www/dupa.php on line 2 - --- So XSS... Danger can be tag <script> <iframe>, because you can see cookies etc. For example. ?varible=<script>alert(document.cookie);</script> And have you cookies from this domain! This XSS is critical, because exist in display_error and hacker can do XSS and Phishing attack. For example, if this bug exist in a Bank site... hacker can create <FORM> or mirror site... - --- 1.Contact --- Author: Maksymilian Arciemowicz < cXIb8O3 > Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com GPG-KEY: securityreason.com TEAM -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCmIWvznmvyJCR4zQRAuqtAKCcyXWQnMdPvCn+6+npQiGEbXvAZwCgq172 +J8w9EzGFE49sXxP1MPbSfI= =QksY -----END PGP SIGNATURE----- Actual result: -------------- XSS ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=33173&edit=1
