Hello DarkFig As in the PHP bug report written, too, the bug here is not in the mysql_error() function but in the program that writes its output on a HTML page without proper escaping with htmlentities() or htmlspecialchars(). mysql_error() is not limited to web programming, it is used in console scripts, too, that do not output HTML at all so it would be wrong if mysql_error() would escape its output. Apart from the fact that SQL layer functions should never mix up with the presentation layer. BTW, - you wrote "Vendor Status: Patched" although the bug was set to "Bogus" and did not seem to have got any patch - you wrote "No response from the PHP team" although there was a response on 2006-09-06 bye, -christian- On Wed, Sep 20, 2006 at 12:47:54PM -0000, gmdarkfig@xxxxxxxxx wrote: > mysql_error() can lead to Cross Site Scripting attacks ======================================================== > Affected.scr..: PHP4 <= 4.4.4 PHP5 <= 5.1.6 > Advisory.ID...: 11060920 > Risk.level....: Low > Vendor.Status.: Patched > Src.download..: http://www.php.net/ > Adv.link......: acid-root.new.fr/advisories/11060920.txt > ======================================================== > > > ==[ OVERVIEW > ============ > PHP: Hypertext Preprocessor is an open source server side > programming language extensively used for web scripts and to > process data passed via the Common Gateway Interface from > HTML forms etc. PHP can be written as scripts that reside on > the server and may produce HTML output that downloads to the > web browser. Alternatively, PHP can be embedded within HTML > pages that are then saved with a .php file extension. The PHP > sections of the page are then parsed by the PHP engine on the > server and the PHP code stripped out before the page is > downloaded to the web browser. The name is a bit of a > programming joke (if there is sucha thing) since it's a > recursive acronym i.e. the P in PHP stands for PHP. > > > ==[ DETAILS > =========== > The goal of the mysql_error() function is to return the error > text from the last MySQL function. This function can lead to > Cross Site Scripting attacks. To conduct this attack, some > parameters are required. If an mysql function use a bad parameter > provided by the attacker and if the mysql_error() result is > returned to the user, this can be exploited to conduct Cross > Site Scripting attack. This can be useful if the attacker has > a restricted access to an mysql function. > > > ==[ POC/EXPLOIT > =============== > <?php //?db=<script>alert(666)</script> > $link = mysql_connect("localhost", "root", ""); > mysql_select_db($db, $link); > echo mysql_errno($link) . ": " . mysql_error($link). "\n"; > ?> > > > ==[ LINKS > ========= > Mysql functions list.: http://www.php.net/manual/en/ref.mysql.php > Discussion on php.net: http://bugs.php.net/bug.php?id=38733&edit=2 > > > ==[ SOLUTION > ============ > No response from PHP Team. > > > ==[ TIMELINE > ============ > 06. Sept. 2006 - Vendor contacted > 20. Sept. 2006 - Public disclosure > > > ==[ CONTACT > =========== > Author: DarkFig > Web...: www.acid-root.new.fr > E-mail: gmdarkfig[*]gmail[*]com (fr/en) > > Note: Tested on 4.4.3 > -- Christian Hammers WESTEND GmbH | Internet-Business-Provider Technik CISCO Systems Partner - Authorized Reseller Lütticher Straße 10 Tel 0241/701333-11 ch@xxxxxxxxxxx D-52064 Aachen Fax 0241/911879
