oss-sec mailing list archives
Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
From: "Oden Eriksson" <oeriksson () mandriva com>
Date: Thu, 28 Jun 2012 19:40:35 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/28/2012 12:13 AM, Pierre Joye wrote:hi Kurt! On Thu, Jun 28, 2012 at 7:12 AM, Kurt Seifried <kseifried () redhat com> wrote:So simply querying: ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 e.g.: http://php.net/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 shows authors, SAPI modules (and their authors) and normal modules (and their authors), resulting in a significant information disclosure (version #'s can be narrowed down from the authors list). This has already been reported, but no CVE was assigned: https://bugs.php.net/bug.php?id=55497 It is mentioned in http://php.net/manual/en/ini.core.php however it is enabled by default: ; Decides whether PHP may expose the fact that it is installed on the server ; (e.g. by adding its signature to the Web server header). It is no security ; threat in any way, but it makes it possible to determine whether you use PHP ; on your server or not. ; http://www.php.net/manual/en/ini.core.php#ini.expose-php expose_php = OnWhy would it require a CVE and why is it seen as a security issue? Sure it could be, like unfiltered input and the like but... Cheers,I wasn't asking for a CVE for this issue (no "CVE Request: in subject), This is more of a place holder/information (oss-security is read by a lot of security vendors/etc, and is for more than just CVE assignments) and to make sure people are aware of the issue, since I wasn't even aware of it until someone pointed it out to me. Exposing the fact that I am running PHP is one thing. Exposing exactly which modules I have loaded is quite another.
http://php.net/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 That url does not show loaded modules. One can also use for example: disable_functions = phpinfo in /etc/php.ini So, I guess that's sufficent. -- Regards // Oden Eriksson Security team manager - Mandriva CEO NUX AB
Current thread:
- PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Kurt Seifried (Jun 27)
- Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Pierre Joye (Jun 27)
- Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Kurt Seifried (Jun 28)
- Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Oden Eriksson (Jun 28)
- Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Kurt Seifried (Jun 28)
- Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Matthias Weckbecker (Jun 27)
- Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Johannes Schlüter (Jun 28)
- Re: Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Stuart Henderson (Jun 28)
- RE: Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Zeev Suraski (Jun 28)
- Re: Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Kurt Seifried (Jun 28)
- Re: Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Rasmus Lerdorf (Jun 28)
- Re: Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Stuart Henderson (Jun 28)
- Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Pierre Joye (Jun 27)