RE: Security Advisory - #1

["Colby Marks" <Colby () DigitalJunction com>]

Unconfirmed.

Windows 2000 sp2 plus postsp2rollup patch + PHP 4.0.6

Response from my webserver is as follows:

CGI Error
The specified CGI application misbehaved by not returning a complete set
of HTTP headers. The headers it did return are:

http://www.somewebsite.com/somesubdir/index.php/123
This format failed the test.

HOWEVER
http://www.somewebsite.com/somesubdir/index.php/

Passed the test and revealed the TRUE location of the File, not the
location of the PHP installation directory.  This can be avoided by
disabling the showing of scripting errors in IIS.

What version of Windows and what service packs, plus what version of PHP
are you using?

-Colby

-----Original Message-----
From: Paul Brereton [mailto:brereton_paul () btopenworld com] 
Sent: Thursday, February 07, 2002 7:00 AM
To: bugs () securitytracker com; webmaster () hideaway net;
contact () securitybugware org; exploit () nstalker com;
security () winnetmag com; editors () apacheweek com;
bugtraq () securityfocus com
Subject: Security Advisory - #1

Title : Windows Based PHP Leaks True Path
Author : Paul Brereton
E-Mail : brereton_paul () btopenworld com

Summary : PHP for Windows reveals the true path where the program was
installed. This would be considered in most cases sensitive information.

Details : By appending /123 to the end of a PHP file such as
http://somehost/database.php/123 the PHP program will return its install
path:
 The following message is displayed : Premature end of script headers:
C:/php/php.exe


Regards,

Paul Brereton.