Thread-topic: mysql_error() can lead to Cross Site Scripting attacks
> -----Original Message-----
> From: gmdarkfig@xxxxxxxxx [mailto:gmdarkfig@xxxxxxxxx]
> Sent: Wednesday, September 20, 2006 4:48 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: mysql_error() can lead to Cross Site Scripting attacks
>
> mysql_error() can lead to Cross Site Scripting attacks
> ========================================================
> Affected.scr..: PHP4 <= 4.4.4 PHP5 <= 5.1.6
> Advisory.ID...: 11060920
> Risk.level....: Low
> Vendor.Status.: Patched
> Src.download..:
> Adv.link......: acid-root.new.fr/advisories/11060920.txt
> ========================================================
>
>
> ==[ OVERVIEW
> ============
> PHP: Hypertext Preprocessor is an open source server side
> programming language extensively used for web scripts and to
> process data passed via the Common Gateway Interface from
> HTML forms etc. PHP can be written as scripts that reside on
> the server and may produce HTML output that downloads to the
> web browser. Alternatively, PHP can be embedded within HTML
> pages that are then saved with a .php file extension. The PHP
> sections of the page are then parsed by the PHP engine on the
> server and the PHP code stripped out before the page is
> downloaded to the web browser. The name is a bit of a
> programming joke (if there is sucha thing) since it's a
> recursive acronym i.e. the P in PHP stands for PHP.
>
>
> ==[ DETAILS
> ===========
> The goal of the mysql_error() function is to return the error
> text from the last MySQL function. This function can lead to
> Cross Site Scripting attacks. To conduct this attack, some
> parameters are required. If an mysql function use a bad parameter
> provided by the attacker and if the mysql_error() result is
> returned to the user, this can be exploited to conduct Cross
> Site Scripting attack. This can be useful if the attacker has
> a restricted access to an mysql function.
>
>
> ==[ POC/EXPLOIT
> ===============
> <?php //?db=<script>alert(666)</script>
> $link = mysql_connect("localhost", "root", "");
> mysql_select_db($db, $link);
> echo mysql_errno($link) . ": " . mysql_error($link). "\n";
> ?>
>
>
> ==[ LINKS
> =========
> Mysql functions list.:
> Discussion on php.net:
>
>
> ==[ SOLUTION
> ============
> No response from PHP Team.
>
>
> ==[ TIMELINE
> ============
> 06. Sept. 2006 - Vendor contacted
> 20. Sept. 2006 - Public disclosure
>
>
> ==[ CONTACT
> ===========
> Author: DarkFig
> Web...: www.acid-root.new.fr
> E-mail: gmdarkfig[*]gmail[*]com (fr/en)
>
> Note: Tested on 4.4.3
>
