Bug 125880

Summary:	dev-lang/php-5.1.1 and dev-lang/php-4.4.1-r3: XSS when display_errors AND html_errors are on
Product:	Gentoo Security	Reporter:	Andy Kraut <akraut>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED DUPLICATE
Severity:	minor	CC:	php-bugs
Priority:	High
Version:	unspecified
Hardware:	All
OS:	All
URL:	:http://www.php.net/release_5_1_2.php,http://www.php.net/release_4_4_2.php
Whiteboard:
Package list:		Runtime testing required:	---

Description Andy Kraut 2006-03-11 15:02:54 UTC

Multiple cross-site scripting (XSS) vulnerabilities in PHP 5.1.1, when display_errors and html_errors are on, allow remote attackers to inject arbitrary web script or HTML via inputs to PHP applications that are not filtered when they are included in the resulting error message.
Note: Gentoo's default config file for PHP has display_errors=on and html_errors=off making a default-configured system not vulnerable.
--akraut

CVE-2006-0208

Comment 1 Luca Longinotti (RETIRED) gentoo-dev

2006-03-11 17:30:08 UTC

The same issue can be found in dev-lang/php-4.4.1-r3, PHP 4.4.2 fixes this (see http://www.php.net/release_4_4_2.php for details), the other "big issues" mentioned in the release announcement were already fixed by 4.4.1-r3, the security issues will be fixed by adding dev-lang/php-4.4.2 to the tree today/tomorrow (depends on your timezone :P), will update the bug once it's done.
Best regards, CHTEKK.

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2006-03-12 03:36:18 UTC

Grouping bugs

*** This bug has been marked as a duplicate of 125878 ***