PHP: There are more reasons to deactivate display_errors than just hiding the structure of your code.

Consider this small PHP script:

Looks fairly innocent, right?
Well it has a hidden XSS vulnerability if display_errors is activated and error_reporting contains E_WARNING. Consider the generated code when calling it with this querystring:

?dir=<script>window.alert('foobar!');</script>

What happens? Well the path (most likely) doesn’t exists, so opendir gives a warning of level E_WARNING – containing the unescaped path that couldn’t be found:

Uhm php, maybe you could at least escape the error messages when the content type currently being outputted is text/html?…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.