ID: 38733 User updated by: gmdarkfig at gmail dot com Reported By: gmdarkfig at gmail dot com Status: Bogus Bug Type: MySQL related Operating System: all PHP Version: 4.4.4 New Comment:
It is not written in the mysql_error manual. Many people return the result of the mysql_error function, see http://www.koders.com/?s=or+die+mysql_error&_%3Abtn=Search&_%3Ala=PHP&_%3Ali=*. Users can alert the webmaster if they see an error. They wouldn't have to display the error for security reasons but they do that. Previous Comments: ------------------------------------------------------------------------ [2006-09-06 13:13:23] [EMAIL PROTECTED] mysql_error() and alike are for debugging purposes only, users MUST NOT see their output. ------------------------------------------------------------------------ [2006-09-06 13:06:28] gmdarkfig at gmail dot com Description: ------------ The goal of the mysql_error() function is to return the error text from the last MySQL function. This function can lead to Cross Site Scripting attacks. To conduct this attack, somes parameters are required. If an mysql function use a bad parameter provided by the attacker and if the mysql_error() result is returned to the user, this can be exploited to conduct Cross Site Scripting attack. This can be useful if the attacker has a restricted access to an mysql function. Reproduce code: --------------- <?php //?db=<script>alert(123)</script> $link = mysql_connect("localhost", "root", ""); $restrictedaccess = filter_no_hml_data($_GET['db']); mysql_select_db($restrictedaccess, $link); echo mysql_errno($link) . ": " . mysql_error($link). "\n"; // MySQL functions list: http://www.php.net/manual/en/ref.mysql.php ?> Expected result: ---------------- The html code is executed. ------------------------------------------------------------------------ [2006-09-06 13:03:21] gmdarkfig at gmail dot com Description: ------------ The goal of the mysql_error() function is to return the error text from the last MySQL function. This function can lead to Cross Site Scripting attacks. To conduct this attack, somes parameters are required. If an mysql function use a bad parameter provided by the attacker and if the mysql_error() result is returned to the user, this can be exploited to conduct Cross Site Scripting attack. This can be useful if the attacker has a restricted access to an mysql function. Reproduce code: --------------- <?php //?db=<script>alert(123)</script> $link = mysql_connect("localhost", "root", ""); $restrictedaccess = filter_no_hml_data($_GET['db']); mysql_select_db($restrictedaccess, $link); echo mysql_errno($link) . ": " . mysql_error($link). "\n"; // MySQL functions list: http://www.php.net/manual/en/ref.mysql.php ?> Expected result: ---------------- The html code is executed. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=38733&edit=1
