Neal Poole – Cross-Site Scripting via Error Reporting Notices in PHP

A PHP application that displays error reporting notices and contains specific code patterns may be vulnerable to a cross-site scripting attack. I’ve confirmed this issue on PHP 5.2.17 and a snapshot of PHP 5.4 (I assume it affects other versions of PHP as well). This issue was filed as Sec Bug #55139 back in July, but it was recently closed as “bogus” by a member of the PHP team, making the report public.

When display_errors is enabled and a PHP notice is generated, none of the text of the notice is HTML-encoded. That means if an attacker can control part of the notice text, they can inject arbitrary HTML and JavaScript into the page. Certain specific coding patterns make such an attack possible.

via Neal Poole – Cross-Site Scripting via Error Reporting Notices in PHP. Though to be fair you probably shouldn’t be using display_errors in a production site.

Justin Yost is a full-time Software Engineer and a part time educator. A graduate of Texas Tech University with a bachelor's degree in computer science, Justin relishes programming and learning more about anything and everything. When not working, Justin occasionally gives talks at the local PHP Meetup. In his free time, Justin enjoys backpacking and reading science fiction books.

Tagged with: , , , , ,
Posted in Programming, Quick Posts, Security, Software Code
Short Link: http://jty.me/nZm5H5