PHP :: Bug #28946 :: Cross-Site scripting on mod

Bug #28946

Cross-Site scripting on mod_php error's page

Submitted:

2004-06-28 12:03 UTC

Modified:

2004-06-29 11:38 UTC

Votes:	1
Avg. Score:	2.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

ripe at 7a69ezine dot org

Assigned:

Status:

Not a bug

Package:

Apache2 related

PHP Version:

4.3.6

OS:

Gentoo Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	ripe at 7a69ezine dot org
New email:
PHP Version:		OS:

New/Additional Comment:

[2004-06-28 12:03 UTC] ripe at 7a69ezine dot org

Description:
------------
	There is a cross-site scripting on mod_php error's 
page that allow to execute javascript stuff.  
 
	You can reproduce the error following this 
step-by-step: 
 
1/ create a page with this content. 
 
	<? include($_GET['inc'] ?> 
 
2/ Try http://host/file.php?inc=<script>alert()</script> 
 
3/ An alert() popup is opened. 
 
 
	It can allow, on a not-well coded websites, to 
change an inofensive error (yes, I know that an include is 
not inofensive but its only the example) to potential XSS 
error that can allow a malicious user, using a litle 
social engineering, to seize a cookie session or other 
data. 

Expected result:
----------------

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-06-28 21:38 UTC] iliaa@php.net

Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions. 

Thank you for your interest in PHP.

It is up to the developer to handle such issues.

[2004-06-28 21:49 UTC] ripe at 7a69ezine dot org

Trying to include no-existing HELO.inc file apache returns 
tome this HTML code: 
 
<b>Warning</b>:  main(HELO.inc): failed to open stream: No 
such file or directory in 
<b>/home/apuigsech/public_html/data/v.php</b> on line 
<b>3</b><br /> 
 
	?Who write this error code? I think that it's 
written by mod_php, but i'm noyt sure at all cause i have 
no readed php4 source code.

[2004-06-29 11:38 UTC] rasmus@php.net

Yes, but allowing users to specify files to be included is crazy.  Nobody should write code like that.  Never mind the cross-site scripting problem, people could simply specify /etc/passwd to be included.  It is up to the programmer to write code that doesn't do stupid stuff like this.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Nov 05 08:00:02 2025 UTC