[VIM] More details on PHP XSS fix
Steven M. Christey
coley at mitre.org
Tue Jan 17 13:29:48 EST 2006
Re: CVE-2006-0208
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178028
This says:
The problem exists in the way PHP displays error messages. This
issue is only exploitable when 'display_errors' and 'html_errors'
are both set to 'On' in the PHP configuration file. When a HTML
error message was being generated, the output was not properly
sanitized, which could allow an attacker to insert arbitrary HTML,
thus allowing a XSS attack.
This issue is only exploitable if 'html_errors' is on, which the
configuration file cleary states should not be used on production
machines.
Sooooo... I wonder if this is the "bug" I've been thinking about for
months, which is responsible for large amounts of so-called XSS in PHP
applications that produce verbose error messages, e.g. when "<script>"
produces a SQL syntax error.
- Steve
More information about the VIM
mailing list