php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62964 Cross-Site Scripting
Submitted: 2012-08-29 12:06 UTC Modified: -
From: ymaryshev at ptsecurity dot ru Assigned:
Status: Closed Package: *General Issues
PHP Version: 5.4.6 OS: win
Private report: No CVE-ID:
 [2012-08-29 12:06 UTC] ymaryshev at ptsecurity dot ru
Description:
------------
An attacker can conduct cross-site scripting attack because of incorrect 
implementation of php_info_print_stream_hash function in phpinfo in PHP.

Vulnerability exists in /ext/sqlite3/ info.c file. Here is the vulnerable code:
static void php_info_print_stream_hash(const char *name, HashTable *ht TSRMLS_DC) 
/* {{{ */ {
			...
			while (zend_hash_get_current_key_ex(ht, &key, &len, NULL, 
0, &pos) == HASH_KEY_IS_STRING)
			{
				php_info_print(key);
				...

Test script:
---------------
<?php
	stream_filter_register("<script>alert('Positive')</script>","a");
	phpinfo();
?>


Patches

use_php_info_print_html_esc (last revision 2012-09-14 05:56 UTC) by david at nnucomputerwhiz dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-09-01 17:18 UTC] zyss at mail dot zp dot ua
Unfortunately most of PHP output functions are vulnerable in the same way...

For example, built-in echo function:

$a = "<script>alert('Positive')</script>";
echo $a; // echo IS VULNERABLE!!!11oneoneeleven

Seriously, healthy programmer never allows untrusted data (user input) to be passed to stream_filter_register() as well as to other functions.

Moreover, phpinfo() should never be exposed.
 [2012-09-14 05:35 UTC] david at nnucomputerwhiz dot com
I can't imagine this bug ever causing any real security problems but whenever outputting anything to the browser that could contain html entities they should 
be encoded. So php_info_print should probably be modified to use htmlentities so 
if it ever tried to print a '&' or '<' to the browser it will be displayed 
properly.
 [2012-09-14 05:59 UTC] david at nnucomputerwhiz dot com
Added patch. It's a really simple change to use php_info_print_html_esc when 
appropriate. We do the same thing with other functions like 
php_print_gpcse_array()
 [2013-06-25 21:00 UTC] felipe@php.net
Automatic comment on behalf of felipensp@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=41b73e4cee9ce68b8b78a00eddd4322b0d48dd06
Log: - Fixed bug #62964 (Possible XSS on &quot;Registered stream filters&quot; info) patch by: david at nnucomputerwhiz dot com
 [2013-06-25 21:00 UTC] felipe@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 23 09:02:23 2014 UTC