[VIM] More details on PHP XSS fix
Steven M. Christey
coley at mitre.org
Tue Jan 17 13:29:48 EST 2006
The problem exists in the way PHP displays error messages. This
issue is only exploitable when 'display_errors' and 'html_errors'
are both set to 'On' in the PHP configuration file. When a HTML
error message was being generated, the output was not properly
sanitized, which could allow an attacker to insert arbitrary HTML,
thus allowing a XSS attack.
This issue is only exploitable if 'html_errors' is on, which the
configuration file cleary states should not be used on production
Sooooo... I wonder if this is the "bug" I've been thinking about for
months, which is responsible for large amounts of so-called XSS in PHP
applications that produce verbose error messages, e.g. when "<script>"
produces a SQL syntax error.
More information about the VIM