|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #79309 possible information leak of PID on MySQL connection failure
Submitted: 2020-02-26 19:01 UTC Modified: 2020-02-26 19:39 UTC
From: php at darkain dot com Assigned:
Status: Not a bug Package: MySQLi related
PHP Version: 7.4.3 OS: any
Private report: No CVE-ID: None
 [2020-02-26 19:01 UTC] php at darkain dot com
The line of code can be found here:

An example output can be found here:

In my particular example, it is a unit test suite, so warnings/errors are visible. In a normal production environment, this information SHOULDNT be visible, but many application and frameworks will display database connectivity errors straight to the client/user. PID knowledge can be used in conjunction with other potential exploits in an attack on a system.

This bug has always been there from the looks of it (going back to 2015 code), but it appears that in PHP 7.4, mysqlnd is used instead of mysqli, so this code path is now being hit. Also, mysqlnd isn't an option in the database functions list here on the bug tracker.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-02-26 19:24 UTC]
-Status: Open +Status: Not a bug
 [2020-02-26 19:24 UTC]
> but many application and frameworks will display database connectivity errors straight to the client/user

They shouldn't. Application displaying debug information to the client is not a bug in PHP.
 [2020-02-26 19:39 UTC] php at darkain dot com
Applications shouldnt display debug information, agreed.

Regardless of that, I still don't think PID information should be included within an error message, even without outputting to the client. This is leading to essentially a variable error message which is causing issues in an application in an unpredicted way. If nothing else, it should be noted as a change in the PHP 7.4 docs that the mysqli driver was changed.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Feb 22 12:01:29 2024 UTC