From: bskandmon at hotmail dot com
Operating system: unknow
PHP version: 5.2.2
PHP Bug Type: MySQL related
Bug description: unknow

Description:
------------
I'm french and I'm 15, so excuse me for my verry verry bad english. I've
found an xss fail in mysql_error(). You've just to do a synthax error (whit
" in my example) and write your script after the ".

Reproduce code:
---------------
$var = '"<script>alert(\'Hi ! Xss discovered !\')</script>';
$rep = mysql_query('SELECT pseudo FROM membres where pseudo =
"'.$var.'"');
if (!$rep)
{
echo '<br><b>Transmettre aux administrateurs : (via la page contact ou
par mp) '.mysql_error().'</b>';
}
else
{
return $rep;
}


--
Edit bug report at http://bugs.php.net/?id=41389&edit=1
--
Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=41389&r=trysnapshot44
Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=41389&r=trysnapshot52
Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=41389&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=41389&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=41389&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=41389&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=41389&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=41389&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=41389&r=support
Expected behavior: http://bugs.php.net/fix.php?id=41389&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=41389&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=41389&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=41389&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=41389&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=41389&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=41389&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=41389&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=41389&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=41389&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=41389&r=mysqlcfg

ID: 41389
Updated by: johannes@php.net
Reported By: bskandmon at hotmail dot com
-Status: Open
+Status: Bogus
Bug Type: MySQL related
Operating System: unknow
PHP Version: 5.2.2
New Comment:

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the do***entation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

mysql_error() just passed the original error message from the database.
The function doesn't know what you are doing with the returned value.
(logging ...) So no escaping can be done.

As a general notice: If the user can generate a MySQL error you have
most likely a bigger problem than XSS: SQL injection.


Previous Comments:
------------------------------------------------------------------------

[2007-05-14 19:57:17] bskandmon at hotmail dot com

Description:
------------
I'm french and I'm 15, so excuse me for my verry verry bad english.
I've found an xss fail in mysql_error(). You've just to do a synthax
error (whit " in my example) and write your script after the ".

Reproduce code:
---------------
$var = '"<script>alert(\'Hi ! Xss discovered !\')</script>';
$rep = mysql_query('SELECT pseudo FROM membres where pseudo =
"'.$var.'"');
if (!$rep)
{
echo '<br><b>Transmettre aux administrateurs : (via la page contact ou
par mp) '.mysql_error().'</b>';
}
else
{
return $rep;
}

------------------------------------------------------------------------


--
Edit this bug report at http://bugs.php.net/?id=41389&edit=1