[PHP-BUG] Bug #62964 [NEW]: Cross-Site Scripting

Wed, 29 Aug 2012 05:06:24 -0700 

From:             ymaryshev at ptsecurity dot ru
Operating system: win
PHP version:      5.4.6
Package:          *General Issues
Bug Type:         Bug
Bug description:Cross-Site Scripting

Description:
------------
An attacker can conduct cross-site scripting attack because of incorrect 
implementation of php_info_print_stream_hash function in phpinfo in PHP.

Vulnerability exists in /ext/sqlite3/ info.c file. Here is the vulnerable
code:
static void php_info_print_stream_hash(const char *name, HashTable *ht
TSRMLS_DC) 
/* {{{ */ {
                        ...
                        while (zend_hash_get_current_key_ex(ht, &key, &len, 
NULL, 
0, &pos) == HASH_KEY_IS_STRING)
                        {
                                php_info_print(key);
                                ...

Test script:
---------------
<?php
        stream_filter_register("<script>alert('Positive')</script>","a");
        phpinfo();
?>


-- 
Edit bug report at https://bugs.php.net/bug.php?id=62964&edit=1
-- 
Try a snapshot (PHP 5.4):            
https://bugs.php.net/fix.php?id=62964&r=trysnapshot54
Try a snapshot (PHP 5.3):            
https://bugs.php.net/fix.php?id=62964&r=trysnapshot53
Try a snapshot (trunk):              
https://bugs.php.net/fix.php?id=62964&r=trysnapshottrunk
Fixed in SVN:                        
https://bugs.php.net/fix.php?id=62964&r=fixed
Fixed in SVN and need be documented: 
https://bugs.php.net/fix.php?id=62964&r=needdocs
Fixed in release:                    
https://bugs.php.net/fix.php?id=62964&r=alreadyfixed
Need backtrace:                      
https://bugs.php.net/fix.php?id=62964&r=needtrace
Need Reproduce Script:               
https://bugs.php.net/fix.php?id=62964&r=needscript
Try newer version:                   
https://bugs.php.net/fix.php?id=62964&r=oldversion
Not developer issue:                 
https://bugs.php.net/fix.php?id=62964&r=support
Expected behavior:                   
https://bugs.php.net/fix.php?id=62964&r=notwrong
Not enough info:                     
https://bugs.php.net/fix.php?id=62964&r=notenoughinfo
Submitted twice:                     
https://bugs.php.net/fix.php?id=62964&r=submittedtwice
register_globals:                    
https://bugs.php.net/fix.php?id=62964&r=globals
PHP 4 support discontinued:          
https://bugs.php.net/fix.php?id=62964&r=php4
Daylight Savings:                    https://bugs.php.net/fix.php?id=62964&r=dst
IIS Stability:                       
https://bugs.php.net/fix.php?id=62964&r=isapi
Install GNU Sed:                     
https://bugs.php.net/fix.php?id=62964&r=gnused
Floating point limitations:          
https://bugs.php.net/fix.php?id=62964&r=float
No Zend Extensions:                  
https://bugs.php.net/fix.php?id=62964&r=nozend
MySQL Configuration Error:           
https://bugs.php.net/fix.php?id=62964&r=mysqlcfg

Reply via email to