php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #62964 Cross-Site Scripting
Submitted: 2012-08-29 12:06 UTC Modified: -
From: ymaryshev at ptsecurity dot ru Assigned:
Status: Closed Package: *General Issues
PHP Version: 5.4.6 OS: win
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ymaryshev at ptsecurity dot ru
New email:
PHP Version: OS:

 

 [2012-08-29 12:06 UTC] ymaryshev at ptsecurity dot ru 
Description:
------------
An attacker can conduct cross-site scripting attack because of incorrect 
implementation of php_info_print_stream_hash function in phpinfo in PHP.

Vulnerability exists in /ext/sqlite3/ info.c file. Here is the vulnerable code:
static void php_info_print_stream_hash(const char *name, HashTable *ht TSRMLS_DC) 
/* {{{ */ {
			...
			while (zend_hash_get_current_key_ex(ht, &key, &len, NULL, 
0, &pos) == HASH_KEY_IS_STRING)
			{
				php_info_print(key);
				...

Test script:
---------------
<?php
	stream_filter_register("<script>alert('Positive')</script>","a");
	phpinfo();
?>

Patches

use_php_info_print_html_esc (last revision 2012-09-14 05:56 UTC by david at nnucomputerwhiz dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-09-01 17:18 UTC] zyss at mail dot zp dot ua 
Unfortunately most of PHP output functions are vulnerable in the same way...

For example, built-in echo function:

$a = "<script>alert('Positive')</script>";
echo $a; // echo IS VULNERABLE!!!11oneoneeleven

Seriously, healthy programmer never allows untrusted data (user input) to be passed to stream_filter_register() as well as to other functions.

Moreover, phpinfo() should never be exposed.
 [2012-09-14 05:35 UTC] david at nnucomputerwhiz dot com 
I can't imagine this bug ever causing any real security problems but whenever outputting anything to the browser that could contain html entities they should 
be encoded. So php_info_print should probably be modified to use htmlentities so 
if it ever tried to print a '&' or '<' to the browser it will be displayed 
properly.
 [2012-09-14 05:59 UTC] david at nnucomputerwhiz dot com 
Added patch. It's a really simple change to use php_info_print_html_esc when 
appropriate. We do the same thing with other functions like 
php_print_gpcse_array()
 [2013-06-25 21:00 UTC] felipe@php.net 
Automatic comment on behalf of felipensp@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=41b73e4cee9ce68b8b78a00eddd4322b0d48dd06
Log: - Fixed bug #62964 (Possible XSS on &quot;Registered stream filters&quot; info) patch by: david at nnucomputerwhiz dot com
 [2013-06-25 21:00 UTC] felipe@php.net
-Status: Open +Status: Closed
 [2014-10-07 23:18 UTC] stas@php.net 
Automatic comment on behalf of felipensp@gmail.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=41b73e4cee9ce68b8b78a00eddd4322b0d48dd06
Log: - Fixed bug #62964 (Possible XSS on &quot;Registered stream filters&quot; info) patch by: david at nnucomputerwhiz dot com
 [2014-10-07 23:29 UTC] stas@php.net 
Automatic comment on behalf of felipensp@gmail.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=41b73e4cee9ce68b8b78a00eddd4322b0d48dd06
Log: - Fixed bug #62964 (Possible XSS on &quot;Registered stream filters&quot; info) patch by: david at nnucomputerwhiz dot com
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC