125880 – dev-lang/php-5.1.1 and dev-lang/php-4.4.1-r3: XSS when display_errors AND html_errors are on

Bug 125880 - dev-lang/php-5.1.1 and dev-lang/php-4.4.1-r3: XSS when display_errors AND html_errors are on

Summary: dev-lang/php-5.1.1 and dev-lang/php-4.4.1-r3: XSS when display_errors AND htm...

Status:	RESOLVED DUPLICATE of bug 125878

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	:http://www.php.net/release_5_1_2.php...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2006-03-11 15:02 UTC by Andy Kraut
Modified:	2006-03-12 03:36 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andy Kraut 2006-03-11 15:02:54 UTC

Multiple cross-site scripting (XSS) vulnerabilities in PHP 5.1.1, when display_errors and html_errors are on, allow remote attackers to inject arbitrary web script or HTML via inputs to PHP applications that are not filtered when they are included in the resulting error message.
Note: Gentoo's default config file for PHP has display_errors=on and html_errors=off making a default-configured system not vulnerable.
--akraut

CVE-2006-0208

Comment 1 Luca Longinotti (RETIRED) gentoo-dev

2006-03-11 17:30:08 UTC

The same issue can be found in dev-lang/php-4.4.1-r3, PHP 4.4.2 fixes this (see http://www.php.net/release_4_4_2.php for details), the other "big issues" mentioned in the release announcement were already fixed by 4.4.1-r3, the security issues will be fixed by adding dev-lang/php-4.4.2 to the tree today/tomorrow (depends on your timezone :P), will update the bug once it's done.
Best regards, CHTEKK.

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2006-03-12 03:36:18 UTC

Grouping bugs

*** This bug has been marked as a duplicate of 125878 ***