Re: [bugtraq] mysql_error() can lead to Cross Site Scripting attacks

[Christian Hammers <ch () westend com>]

Hello DarkFig

As in the PHP bug report written, too, the bug here is not in the
mysql_error() function but in the program that writes its output on a HTML
page without proper escaping with htmlentities() or htmlspecialchars().

mysql_error() is not limited to web programming, it is used in console
scripts, too, that do not output HTML at all so it would be wrong if
mysql_error() would escape its output. Apart from the fact that SQL layer
functions should never mix up with the presentation layer.

BTW,
 - you wrote "Vendor Status: Patched" although the bug was set to "Bogus"
   and did not seem to have got any patch
 - you wrote "No response from the PHP team" although there was a response
   on 2006-09-06

bye,

-christian-


On Wed, Sep 20, 2006 at 12:47:54PM -0000, gmdarkfig () gmail com wrote:
> mysql_error() can lead to Cross Site Scripting attacks ========================================================
>  Affected.scr..: PHP4 <= 4.4.4  PHP5 <= 5.1.6
>  Advisory.ID...: 11060920
>  Risk.level....: Low
>  Vendor.Status.: Patched
>  Src.download..: http://www.php.net/
>  Adv.link......: acid-root.new.fr/advisories/11060920.txt
>  ========================================================
>
>
> ==[ OVERVIEW
> ============
> PHP: Hypertext Preprocessor is an open source server side
> programming language extensively used for web scripts and to
> process data passed via the Common Gateway Interface from
> HTML forms etc. PHP can be written as scripts that reside on
> the server and may produce HTML output that downloads to the
> web browser. Alternatively, PHP can be embedded within HTML
> pages that are then saved with a .php file extension. The PHP
> sections of the page are then parsed by the PHP engine on the
> server and the PHP code stripped out before the page is
> downloaded to the web browser. The name is a bit of a
> programming joke (if there is sucha thing) since it's a
> recursive acronym i.e. the P in PHP stands for PHP.
>
>
> ==[ DETAILS
> ===========
> The goal of the mysql_error() function is to return the error
> text from the last MySQL function. This function can lead to
> Cross Site Scripting attacks. To conduct this attack, some
> parameters are required. If an mysql function use a bad parameter
> provided by the attacker and if the mysql_error() result is
> returned to the user, this can be exploited to conduct Cross
> Site Scripting attack. This can be useful if the attacker has
> a restricted access to an mysql function.
>
>
> ==[ POC/EXPLOIT
> ===============
> <?php  //?db=<script>alert(666)</script>
> $link = mysql_connect("localhost", "root", "");
> mysql_select_db($db, $link);
> echo mysql_errno($link) . ": " . mysql_error($link). "\n";
> ?>
>
>
> ==[ LINKS
> =========
> Mysql functions list.: http://www.php.net/manual/en/ref.mysql.php
> Discussion on php.net: http://bugs.php.net/bug.php?id=38733&edit=2
>
>
> ==[ SOLUTION
> ============
> No response from PHP Team.
>
>
> ==[ TIMELINE
> ============
> 06. Sept. 2006 - Vendor contacted
> 20. Sept. 2006 - Public disclosure
>
>
> ==[ CONTACT
> ===========
> Author: DarkFig
> Web...: www.acid-root.new.fr
> E-mail: gmdarkfig[*]gmail[*]com (fr/en)
>
> Note: Tested on 4.4.3

-- 
Christian Hammers             WESTEND GmbH  |  Internet-Business-Provider
Technik                       CISCO Systems Partner - Authorized Reseller
                              Lütticher Straße 10      Tel 0241/701333-11
ch () westend com                D-52064 Aachen              Fax 0241/911879