PHP :: Sec Bug #79309 :: possible information leak of PID on MySQL connection failure

Sec Bug #79309	possible information leak of PID on MySQL connection failure
Submitted:	2020-02-26 19:01 UTC	Modified:	2020-02-26 19:39 UTC
From:	php at darkain dot com	Assigned:
Status:	Not a bug	Package:	MySQLi related
PHP Version:	7.4.3	OS:	any
Private report:	No	CVE-ID:	None

View Developer Edit

[2020-02-26 19:01 UTC] php at darkain dot com

Description:
------------
The line of code can be found here:

https://github.com/php/php-src/blob/master/ext/mysqlnd/mysqlnd_commands.c#L633

An example output can be found here:

https://travis-ci.org/darkain/pudl/jobs/655476237#L504

In my particular example, it is a unit test suite, so warnings/errors are visible. In a normal production environment, this information SHOULDNT be visible, but many application and frameworks will display database connectivity errors straight to the client/user. PID knowledge can be used in conjunction with other potential exploits in an attack on a system.

This bug has always been there from the looks of it (going back to 2015 code), but it appears that in PHP 7.4, mysqlnd is used instead of mysqli, so this code path is now being hit. Also, mysqlnd isn't an option in the database functions list here on the bug tracker.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-02-26 19:24 UTC] stas@php.net

-Status: Open +Status: Not a bug

[2020-02-26 19:24 UTC] stas@php.net

> but many application and frameworks will display database connectivity errors straight to the client/user

They shouldn't. Application displaying debug information to the client is not a bug in PHP.

[2020-02-26 19:39 UTC] php at darkain dot com

Applications shouldnt display debug information, agreed.

Regardless of that, I still don't think PID information should be included within an error message, even without outputting to the client. This is leading to essentially a variable error message which is causing issues in an application in an unpredicted way. If nothing else, it should be noted as a change in the PHP 7.4 docs that the mysqli driver was changed.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Mar 18 01:01:26 2025 UTC