oss-sec mailing list archives
PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 27 Jun 2012 23:12:52 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So simply querying: ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 e.g.: http://php.net/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 shows authors, SAPI modules (and their authors) and normal modules (and their authors), resulting in a significant information disclosure (version #'s can be narrowed down from the authors list). This has already been reported, but no CVE was assigned: https://bugs.php.net/bug.php?id=55497 It is mentioned in http://php.net/manual/en/ini.core.php however it is enabled by default: ; Decides whether PHP may expose the fact that it is installed on the server ; (e.g. by adding its signature to the Web server header). It is no security ; threat in any way, but it makes it possible to determine whether you use PHP ; on your server or not. ; http://www.php.net/manual/en/ini.core.php#ini.expose-php expose_php = On - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP6+fUAAoJEBYNRVNeJnmTk5UQAJebKDKDxL/7HWz3rPcgonLl +45EykI+EPgH2dTmPk1vImMa+o074TgPdZYgsupDZc2jiHkyK8qo29zV3VZgg0Gk U8o4V1sZbt/dHiwZYagPOn4zz5A9Z+QNgnWiNCD4FZyWIBRDzWRrqfrHUjmHKPC1 f50OHEvm1Gsu05jchyH8klj1MlIeLN86ZzlONieDU6nf8i93qLSd6R9EK/HpsET7 6OMyrLlRNECiozruGhkCx7Eb0B1kjKESnwhiTWJh3xmnyK4ec2iICKvD3oOl7cFm FwXl59Iy41gpaHQW6qGyWSp942pLcQjWxixgFapJaqmnJyvE94OMdYr/dsOBHpo/ 329V66HBEFqIeC3tOLWVdKoor0EzRWbSerBbybyYhge48r3Ofn+QOKk8+1Oo2rpw AG7shGxDVCoAG77liMP7uKpFSnhVaBQTpKmqP16ca0e6IeqgJJKKUaj/ZFzyLVdV KvbhzPhHPG9vmjHtfgj1DRxQop4O2uVzvPNtXw/H0F8MqFNCpT/P4BQ5uXYPBqAE YdOAiS0hbdd5SRwRwLRXFRnbz14o8td36xRg1OcngPnaAZ4fnA/1xAtlDNHutUbZ OxNdpX0q2RfcqdXyiLoNp0n8BK+2cpNB/2yDvpolwyxKAfoVL5whgxKc52FzTe6l BrJsFUQkSUq+niiiaE7U =Xv+O -----END PGP SIGNATURE-----
Current thread:
- PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Kurt Seifried (Jun 27)
- Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Pierre Joye (Jun 27)
- Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Kurt Seifried (Jun 28)
- Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Oden Eriksson (Jun 28)
- Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Kurt Seifried (Jun 28)
- Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Matthias Weckbecker (Jun 27)
- Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Johannes Schlüter (Jun 28)
- Re: Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Stuart Henderson (Jun 28)
- RE: Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Zeev Suraski (Jun 28)
- Re: Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Kurt Seifried (Jun 28)
- Re: Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Rasmus Lerdorf (Jun 28)
- Re: Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Stuart Henderson (Jun 28)
- Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Pierre Joye (Jun 27)