PHP :: Bug #19881 :: phpinfo() Security Problem

Bug #19881	phpinfo() Security Problem
Submitted:	2002-10-12 18:16 UTC	Modified:	2002-10-13 21:38 UTC
From:	mattmurphy at kc dot rr dot com	Assigned:
Status:	Not a bug	Package:	*General Issues
PHP Version:	4.2.3	OS:	Win32
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	mattmurphy at kc dot rr dot com
New email:
PHP Version:		OS:

New Comment:

[2002-10-12 18:16 UTC] mattmurphy at kc dot rr dot com

phpinfo() in PHP 4.2.3 uses a special query string to cause a script to return the PHP logo.  phpinfo() fails to strip any query string off of the URI before writing it to the browser.  This opens up two issues, one a nuisance, and the other a more serious security issue:

--- INFO.PHP ---
<?php phpinfo(); ?>
--- INFO.PHP ---

Yes, I know that's a security risk to allow anonymous users access to debug information, but this is actually an example of a default script in many web applications/servers (BadBlue web server, for example).

http://localhost/info.php?"><SCRIPT>alert(document.URL)</SCRIPT>=x

Some browsers will not encode this, and this results in:

<img src="/info.php?"><SCRIPT>alert(document.URL)</SCRIPT>?=PHPE9568F34-D428-11d2-A769-00AA001ACF42" border=0 align="right" alt="PHP Logo">

The security issue here is a cross-site scripting exposure -- not only does PHP fail to strip the query string, it also fails to filter any HTML entities contained in it.

The nuisance problem is that the ALT tag is displayed, but the script executes a regular phpinfo(), and returns a bogus image.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-10-12 22:42 UTC] sniper@php.net

If I understood your concern correctly, only thing you
have to do is to set 'expose_php=off' in your php.ini file.

[2002-10-12 23:54 UTC] mattmurphy at kc dot rr dot com

That setting does indeed eliminate the image tag bug.  It could be used as a temporary workaround for this issue.  The correct behavior would be for PHP to eradicate the query string before using it in a URL.

[2002-10-13 21:38 UTC] sniper@php.net

This is the solution, not workaround..

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Nov 23 05:01:32 2024 UTC