PHP :: Sec Bug #65790 :: Deployment of xhprof_html makes the site vulnerable to XSS attack

Sec Bug #65790	Deployment of xhprof_html makes the site vulnerable to XSS attack
Submitted:	2013-09-30 14:55 UTC	Modified:	2013-10-01 13:52 UTC
From:	spaze at exploited dot cz	Assigned:	scottmac (profile)
Status:	Closed	Package:	xhprof (PECL)
PHP Version:	Irrelevant	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	spaze at exploited dot cz
New email:
PHP Version:		OS:

New Comment:

[2013-09-30 14:55 UTC] spaze at exploited dot cz

Description:
------------
When the xhprof_html directory is deployed it makes the site vulnerable to a Reflected XSS attack by not properly escaping the run parameter.

1. find a site with a xhprof_html deployed
2. change the run parameter to include <script>...</script> (e.g. /xhprof/?run=%3Cscript%3Ealert('XSS');%3C/script%3E)
3. load the page
4. notice the JS alert

NB: XSS filters in some browsers might block this attack



Expected result:
----------------
JavaScript is not executed, input is properly sanitized and/or escaped.

Actual result:
--------------
JavaScript is executed in the context of the user visiting the page.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-09-30 15:10 UTC] johannes@php.net

If that page is public one has other issues, too. This should be fixed nonetheless, I'll contact xhprof maintainers.

[2013-09-30 16:21 UTC] scottmac@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: scottmac

[2013-09-30 16:21 UTC] scottmac@php.net

This was fixed in 0.9.3.

https://github.com/facebook/xhprof/commit/a29189dd51f6c8cf3939ac6ee10e90139aabb8f4 
is the commit.

[2013-09-30 16:43 UTC] spaze at exploited dot cz

Unfortunately, the commit didn't make it to 0.9.3 available from http://pecl.php.net/get/xhprof-0.9.3.tgz

[2013-09-30 21:28 UTC] johannes@php.net

-Status: Closed +Status: Assigned

[2013-09-30 21:28 UTC] johannes@php.net

I can confirm this changeset is not in the release. Scott, any chance for a new release?

[2013-10-01 13:52 UTC] johannes@php.net

-Status: Assigned +Status: Closed

[2013-10-01 13:52 UTC] johannes@php.net

Scott released a new version. This issue should be fixed.

 http://pecl.php.net/package/xhprof

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Jan 05 05:01:28 2025 UTC