TUCoPS :: Web :: Apps :: b06-4820.htm

mysql_error() can lead to Cross Site Scripting attacks
mysql_error() can lead to Cross Site Scripting attacks
mysql_error() can lead to Cross Site Scripting attacks



mysql_error() can lead to Cross Site Scripting attacks =========================================================0D
 Affected.scr..: PHP4 <= 4.4.4  PHP5 <= 5.1.6=0D
 Advisory.ID...: 11060920=0D
 Risk.level....: Low=0D
 Vendor.Status.: Patched=0D
Src.download..: http://www.php.net/=0D 
 Adv.link......: acid-root.new.fr/advisories/11060920.txt=0D
 =========================================================0D
=0D
=0D
==[ OVERVIEW=0D
=============0D
PHP: Hypertext Preprocessor is an open source server side=0D
programming language extensively used for web scripts and to=0D
process data passed via the Common Gateway Interface from=0D
HTML forms etc. PHP can be written as scripts that reside on=0D
the server and may produce HTML output that downloads to the=0D
web browser. Alternatively, PHP can be embedded within HTML=0D
pages that are then saved with a .php file extension. The PHP=0D
sections of the page are then parsed by the PHP engine on the=0D
server and the PHP code stripped out before the page is=0D
downloaded to the web browser. The name is a bit of a=0D
programming joke (if there is sucha thing) since it's a=0D
recursive acronym i.e. the P in PHP stands for PHP.=0D
=0D
=0D
==[ DETAILS=0D
============0D
The goal of the mysql_error() function is to return the error=0D
text from the last MySQL function. This function can lead to=0D
Cross Site Scripting attacks. To conduct this attack, some=0D
parameters are required. If an mysql function use a bad parameter=0D
provided by the attacker and if the mysql_error() result is=0D
returned to the user, this can be exploited to conduct Cross=0D
Site Scripting attack. This can be useful if the attacker has=0D
a restricted access to an mysql function.=0D
=0D
=0D
==[ POC/EXPLOIT=0D
================0D
alert(666)=0D
$link = mysql_connect("localhost", "root", "");=0D
mysql_select_db($db, $link);=0D
echo mysql_errno($link) . ": " . mysql_error($link). "\n";=0D
?>=0D
=0D
=0D
==[ LINKS=0D
==========0D
Mysql functions list.: http://www.php.net/manual/en/ref.mysql.php=0D 
Discussion on php.net: http://bugs.php.net/bug.php?id=38733&edit=2=0D 
=0D
=0D
==[ SOLUTION=0D
=============0D
No response from PHP Team.=0D
=0D
=0D
==[ TIMELINE=0D
=============0D
06. Sept. 2006 - Vendor contacted=0D
20. Sept. 2006 - Public disclosure=0D
=0D
=0D
==[ CONTACT=0D
============0D
Author: DarkFig=0D
Web...: www.acid-root.new.fr=0D 
E-mail: gmdarkfig[*]gmail[*]com (fr/en)=0D
=0D
Note: Tested on 4.4.3

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH