[VIM] SQL Injections in phpwebsite

Steven M. Christey coley at linus.mitre.org
Wed Mar 22 20:47:59 EST 2006

On Wed, 22 Mar 2006, George A. Theall wrote:

> I understand, but what I was getting as is whether the issue with
> article.php was mis-classified as a cross-site scripting flaw rather
> than a SQL injection. Given that a mysql syntax error will echo the
> query if PHP's display_errors setting is enabled, the person behind the
> report at
>   http://archives.neohapsis.com/archives/bugtraq/2002-10/0029.html
> may have blindly been attacking phpwebsite and missed the true nature of
> this particular problem.

This kind of diagnosis error happens quite frequently, unfortunately, but
I've only recently started noticing/caring about this in the last year or
so (XSS would be "resultant" from a primary SQL injection using my
terminology, if this is the case.)

I'm not sure how much we can do about this diagnosis problem collectively,
besides verifying the issues ourselves when feasible, and encouraging
researchers to be more careful.

Note that I suspect that a recent PHP XSS flaw was related to the general
problem you're discussing, so maybe we'll stop seeing these kinds of
diagnosis errors as more products or installations move to newer PHP
versions.  Assuming that PHP XSS issue was related to display_errors...
I'd tell you the CVE number but searching for "php and xss" is, well,
obviously not even worth trying ;-)

Oh wait, here you go - CVE-2006-0208

- Steve

(who hasn't looked closely at this issue yet and thus is not commenting on

More information about the VIM mailing list