php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #24024 Vulnerability in phpinfo()
Submitted: 2003-06-04 12:42 UTC Modified: 2004-09-04 21:59 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: rich dot fearn at btopenworld dot com Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 4.3.1 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: rich dot fearn at btopenworld dot com
New email:
PHP Version: OS:

 

 [2003-06-04 12:42 UTC] rich dot fearn at btopenworld dot com 
I've just received an e-mail about a vulnerability in the phpinfo() function.

If phpinfo() is used in a page on a web site, a parameter containing script can be passed to that page; that script will be executed.

For example, with the page:

<?php
phpinfo();
?>

stored as info.php, going to

http://<website>/info.php?test=<script>alert('Hello')</script>

will cause the script to be executed, resulting in a pop-up containing the message "Hello".

The vulnerability is due to the fact that parameters are not encoded when they are output in the 

_SERVER["argv"]

section of phpinfo()'s output. (In the other parts of the output where parameters are displayed, < and > characters are converted to the & entities.)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-06-04 13:06 UTC] rasmus@php.net 
phpinfo() is a debugging function.  It is not something that should be publically accessible.  Adding filtering to it would make it much less useful as a debugging tool.
 [2004-08-08 12:40 UTC] grangeway at blueyonder dot co dot uk 
Rasmus, you filter or more convert < to &lt; for some strings, (i.e. for ~6 strings), but not for _SERVER["argv"].

If it is a debugging tool, then the filtering should be removed from all strings? 

Otherwise surely argv should be handled in the same way as querystring, _GET['test'] etc etc.

Having inconsistent output of the same string when debugging just causes confusion.
 [2004-09-04 21:59 UTC] rasmus@php.net 
Do you realize that version 4.3.1 is a year and a half old?  I just had a look at the current code to see what it did and _SERVER is escaped the same way everything else is.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed Sep 11 19:01:27 2024 UTC