php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #24024 Vulnerability in phpinfo()
Submitted: 2003-06-04 12:42 UTC Modified: 2004-09-04 21:59 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: rich dot fearn at btopenworld dot com Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 4.3.1 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2003-06-04 12:42 UTC] rich dot fearn at btopenworld dot com 
I've just received an e-mail about a vulnerability in the phpinfo() function.

If phpinfo() is used in a page on a web site, a parameter containing script can be passed to that page; that script will be executed.

For example, with the page:

<?php
phpinfo();
?>

stored as info.php, going to

http://<website>/info.php?test=<script>alert('Hello')</script>

will cause the script to be executed, resulting in a pop-up containing the message "Hello".

The vulnerability is due to the fact that parameters are not encoded when they are output in the 

_SERVER["argv"]

section of phpinfo()'s output. (In the other parts of the output where parameters are displayed, < and > characters are converted to the & entities.)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-06-04 13:06 UTC] rasmus@php.net 
phpinfo() is a debugging function.  It is not something that should be publically accessible.  Adding filtering to it would make it much less useful as a debugging tool.
 [2004-08-08 12:40 UTC] grangeway at blueyonder dot co dot uk 
Rasmus, you filter or more convert < to &lt; for some strings, (i.e. for ~6 strings), but not for _SERVER["argv"].

If it is a debugging tool, then the filtering should be removed from all strings? 

Otherwise surely argv should be handled in the same way as querystring, _GET['test'] etc etc.

Having inconsistent output of the same string when debugging just causes confusion.
 [2004-09-04 21:59 UTC] rasmus@php.net 
Do you realize that version 4.3.1 is a year and a half old?  I just had a look at the current code to see what it did and _SERVER is escaped the same way everything else is.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun May 19 16:01:31 2024 UTC