#38733 [NEW]: mysql_error() can lead to Cross Site Scripting attacks

Wed, 06 Sep 2006 06:03:32 -0700 

From:             gmdarkfig at gmail dot com
Operating system: all
PHP version:      4.4.4
PHP Bug Type:     MySQL related
Bug description:  mysql_error() can lead to Cross Site Scripting attacks

Description:
------------
The goal of the mysql_error() function is to return the error
text from the last MySQL function. This function can lead to
Cross Site Scripting attacks. To conduct this attack, somes
parameters are required. If an mysql function use a bad parameter provided
by the attacker and if the mysql_error() result is returned to the user,
this can be exploited to conduct Cross Site Scripting attack. This can be
useful if the attacker has a restricted access to an mysql function.

Reproduce code:
---------------
<?php  //?db=<script>alert(123)</script>
$link = mysql_connect("localhost", "root", "");
$restrictedaccess = filter_no_hml_data($_GET['db']);
mysql_select_db($restrictedaccess, $link);
echo mysql_errno($link) . ": " . mysql_error($link). "\n";
// MySQL functions list: http://www.php.net/manual/en/ref.mysql.php
?>

Expected result:
----------------
The html code is executed.


-- 
Edit bug report at http://bugs.php.net/?id=38733&edit=1
-- 
Try a CVS snapshot (PHP 4.4): 
http://bugs.php.net/fix.php?id=38733&r=trysnapshot44
Try a CVS snapshot (PHP 5.2): 
http://bugs.php.net/fix.php?id=38733&r=trysnapshot52
Try a CVS snapshot (PHP 6.0): 
http://bugs.php.net/fix.php?id=38733&r=trysnapshot60
Fixed in CVS:                 http://bugs.php.net/fix.php?id=38733&r=fixedcvs
Fixed in release:             
http://bugs.php.net/fix.php?id=38733&r=alreadyfixed
Need backtrace:               http://bugs.php.net/fix.php?id=38733&r=needtrace
Need Reproduce Script:        http://bugs.php.net/fix.php?id=38733&r=needscript
Try newer version:            http://bugs.php.net/fix.php?id=38733&r=oldversion
Not developer issue:          http://bugs.php.net/fix.php?id=38733&r=support
Expected behavior:            http://bugs.php.net/fix.php?id=38733&r=notwrong
Not enough info:              
http://bugs.php.net/fix.php?id=38733&r=notenoughinfo
Submitted twice:              
http://bugs.php.net/fix.php?id=38733&r=submittedtwice
register_globals:             http://bugs.php.net/fix.php?id=38733&r=globals
PHP 3 support discontinued:   http://bugs.php.net/fix.php?id=38733&r=php3
Daylight Savings:             http://bugs.php.net/fix.php?id=38733&r=dst
IIS Stability:                http://bugs.php.net/fix.php?id=38733&r=isapi
Install GNU Sed:              http://bugs.php.net/fix.php?id=38733&r=gnused
Floating point limitations:   http://bugs.php.net/fix.php?id=38733&r=float
No Zend Extensions:           http://bugs.php.net/fix.php?id=38733&r=nozend
MySQL Configuration Error:    http://bugs.php.net/fix.php?id=38733&r=mysqlcfg

Reply via email to