Re: PHP 3.0.14 Disclosure via POST requests

[lhecking () NMRC IE (Lars Hecking)]

> I noticed some not-so-good behavior in PHP 3.0.14 when dealing with POST
> requests that do not contain a content-type header in the request
> (illegal).  The server will return the page anyways, but the first line
> will be a PHP warning message containing the full path to that file.

 A similar disclosure is possible with Horde (www.horde.org) packages.

 Horde comes with a test.php3 file which displays server info, including
 full path names, through phpinfo(). The fix is to chmod 000 this file
 after installation.

 The secure.sh script, which should be run after installation and
 configuration, has been updated to perform this operation, but only
 in the cvs. All versions released so far, including horde-1.2.0-pre12,
 are vulnerable.

 HAND.