Re: Re: mysql_error() can lead to Cross Site Scripting attacks

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Re: mysql_error() can lead to Cross Site Scripting attacks
From: gmdarkfig@xxxxxxxxx
Date: 21 Sep 2006 18:41:48 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Sorry for the little error, *Unpatched.

Just imagine, you have a limited access (sql command are filtered for example) 
to an sql injection, you don't know the source code of the php script. You 
can't do anything with the sql injection, all your attempts conduct to an error 
returned to client. You don't know if there is an admin panel ... you launch 
the XSS attack. You get the admin cookie, a new category appear, you have now 
acess to the admin panel.

"1. The database is almost never given by user input."
Not needed.

"2. With proper output escaping this kind of attack is thwarted." -> Yes but 
examples given on php.net and others php website don't say that.
See http://www.php.net/mysql_error for the manual.
See http://www.koders.com/?s=or+die+mysql_error&_%3Abtn=Search&_%3Ala=PHP&_% 
for examples.
Normal(and others) people aren't informed about that.

Greetings.

Prev by Date: Call for Papers and Tutorials for the 19th Annual FIRST Conference, June 17– 22, 2007
Next by Date: Re: mysql_error() can lead to Cross Site Scripting attacks
Previous by thread: Re: mysql_error() can lead to Cross Site Scripting attacks
Next by thread: Dr.Web 4.33 antivirus LHA long directory name heap overflow
Index(es):
- Date
- Thread