PHP :: Bug #20750 :: Serious security hole when accessing phpinfo() in a .htaccess protected dir.

Bug #20750	Serious security hole when accessing phpinfo() in a .htaccess protected dir.
Submitted:	2002-12-01 13:37 UTC	Modified:	2002-12-02 02:31 UTC
From:	kapp at bigping dot de	Assigned:
Status:	Not a bug	Package:	Apache related
PHP Version:	4.2.3	OS:	all
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	kapp at bigping dot de
New email:
PHP Version:		OS:

New Comment:

[2002-12-01 13:37 UTC] kapp at bigping dot de

On all Servers we administrate, we always install an 'info.php' file which only contains the phpinfo() function.

Now I found that PHP returns the transmitted password in clear text to the browser. The page is stored in the browsers cache or someone could just have a look on my screen. :-((

I think this is a serious security hole.
The password should not be returned to the browser in any way, best would be to show some asterisks ('*******'), to show that the variable exists.

Ulrich Kapp

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-12-02 02:31 UTC] sesser@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

If you do not want that your users can see this information then do not give them the ability to view phpinfo().

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Jul 01 19:01:37 2025 UTC