[VIM] More details on PHP XSS fix

Steven M. Christey coley at mitre.org
Tue Jan 17 13:29:48 EST 2006

Re: CVE-2006-0208


This says:

  The problem exists in the way PHP displays error messages.  This
  issue is only exploitable when 'display_errors' and 'html_errors'
  are both set to 'On' in the PHP configuration file.  When a HTML
  error message was being generated, the output was not properly
  sanitized, which could allow an attacker to insert arbitrary HTML,
  thus allowing a XSS attack.

  This issue is only exploitable if 'html_errors' is on, which the
  configuration file cleary states should not be used on production

Sooooo...  I wonder if this is the "bug" I've been thinking about for
months, which is responsible for large amounts of so-called XSS in PHP
applications that produce verbose error messages, e.g. when "<script>"
produces a SQL syntax error.

- Steve

More information about the VIM mailing list