ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: mysql_error() can lead to Cross Site Scripting attacks



> -----Original Message-----
> From: gmdarkfig@xxxxxxxxx [mailto:gmdarkfig@xxxxxxxxx] 
> Sent: Wednesday, September 20, 2006 4:48 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: mysql_error() can lead to Cross Site Scripting attacks
> 
> mysql_error() can lead to Cross Site Scripting attacks 
> ========================================================
>  Affected.scr..: PHP4 <= 4.4.4  PHP5 <= 5.1.6
>  Advisory.ID...: 11060920
>  Risk.level....: Low
>  Vendor.Status.: Patched
>  Src.download..: http://www.php.net/
>  Adv.link......: acid-root.new.fr/advisories/11060920.txt
>  ========================================================
> 
> 
> ==[ OVERVIEW
> ============
> PHP: Hypertext Preprocessor is an open source server side
> programming language extensively used for web scripts and to
> process data passed via the Common Gateway Interface from
> HTML forms etc. PHP can be written as scripts that reside on
> the server and may produce HTML output that downloads to the
> web browser. Alternatively, PHP can be embedded within HTML
> pages that are then saved with a .php file extension. The PHP
> sections of the page are then parsed by the PHP engine on the
> server and the PHP code stripped out before the page is
> downloaded to the web browser. The name is a bit of a
> programming joke (if there is sucha thing) since it's a
> recursive acronym i.e. the P in PHP stands for PHP.
> 
> 
> ==[ DETAILS
> ===========
> The goal of the mysql_error() function is to return the error
> text from the last MySQL function. This function can lead to
> Cross Site Scripting attacks. To conduct this attack, some
> parameters are required. If an mysql function use a bad parameter
> provided by the attacker and if the mysql_error() result is
> returned to the user, this can be exploited to conduct Cross
> Site Scripting attack. This can be useful if the attacker has
> a restricted access to an mysql function.
> 
> 
> ==[ POC/EXPLOIT
> ===============
> <?php  //?db=<script>alert(666)</script>
> $link = mysql_connect("localhost", "root", "");
> mysql_select_db($db, $link);
> echo mysql_errno($link) . ": " . mysql_error($link). "\n";
> ?>
> 
> 
> ==[ LINKS
> =========
> Mysql functions list.: http://www.php.net/manual/en/ref.mysql.php
> Discussion on php.net: http://bugs.php.net/bug.php?id=38733&edit=2
> 
> 
> ==[ SOLUTION
> ============
> No response from PHP Team.
> 
> 
> ==[ TIMELINE
> ============
> 06. Sept. 2006 - Vendor contacted
> 20. Sept. 2006 - Public disclosure
> 
> 
> ==[ CONTACT
> ===========
> Author: DarkFig
> Web...: www.acid-root.new.fr
> E-mail: gmdarkfig[*]gmail[*]com (fr/en)
> 
> Note: Tested on 4.4.3
> 



 




Copyright © Lexa Software, 1996-2009.