#38733 [Opn]: mysql_error() can lead to Cross Site Scripting attacks

gmdarkfig at gmail dot com Wed, 06 Sep 2006 06:06:38 -0700

 ID:               38733
 User updated by:  gmdarkfig at gmail dot com
 Reported By:      gmdarkfig at gmail dot com
 Status:           Open
 Bug Type:         MySQL related
 Operating System: all
 PHP Version:      4.4.4
 New Comment:


Description:
------------
The goal of the mysql_error() function is to return the error
text from the last MySQL function. This function can lead to
Cross Site Scripting attacks. To conduct this attack, somes
parameters are required. If an mysql function use a bad parameter
provided by the attacker and if the mysql_error() result is returned
to
the user, this can be exploited to conduct Cross Site Scripting
attack.
This can be useful if the attacker has a restricted access to an mysql
function.

Reproduce code:
---------------
<?php  //?db=<script>alert(123)</script>
$link = mysql_connect("localhost", "root", "");
$restrictedaccess = filter_no_hml_data($_GET['db']);
mysql_select_db($restrictedaccess, $link);
echo mysql_errno($link) . ": " . mysql_error($link). "\n";
// MySQL functions list: http://www.php.net/manual/en/ref.mysql.php
?>

Expected result:
----------------
The html code is executed.


Previous Comments:
------------------------------------------------------------------------

[2006-09-06 13:03:21] gmdarkfig at gmail dot com

Description:
------------
The goal of the mysql_error() function is to return the error
text from the last MySQL function. This function can lead to
Cross Site Scripting attacks. To conduct this attack, somes
parameters are required. If an mysql function use a bad parameter
provided by the attacker and if the mysql_error() result is returned to
the user, this can be exploited to conduct Cross Site Scripting attack.
This can be useful if the attacker has a restricted access to an mysql
function.

Reproduce code:
---------------
<?php  //?db=<script>alert(123)</script>
$link = mysql_connect("localhost", "root", "");
$restrictedaccess = filter_no_hml_data($_GET['db']);
mysql_select_db($restrictedaccess, $link);
echo mysql_errno($link) . ": " . mysql_error($link). "\n";
// MySQL functions list: http://www.php.net/manual/en/ref.mysql.php
?>

Expected result:
----------------
The html code is executed.



------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=38733&edit=1

#38733 [Opn]: mysql_error() can lead to Cross Site Scripting attacks

Reply via email to