PHP :: Bug #17716 :: Webroot Disclosure in Error Output

Bug #17716

Webroot Disclosure in Error Output

Submitted:

2002-06-11 18:08 UTC

Modified:

2002-06-11 18:55 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

mattmurphy at kc dot rr dot com

Assigned:

Status:

Not a bug

Package:

Output Control

PHP Version:

4.2.1

OS:

Win32

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	mattmurphy at kc dot rr dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2002-06-11 18:08 UTC] mattmurphy at kc dot rr dot com

PHP 4.2.1 Path Disclosure Bug

System Details:
  - Windows Me
  - PHP 4.2.1 as CGI on Xitami 2.49d
  - No modules

PHP 4.2.1 (possibly and probably others) can disclose path information in error output.  This is due to the fact that PHP discloses the full path of failing scripts.  For example, take the deliberately malformed "Error.php":

<?php
@if ($action == "error") {
}
?>

This script produces the following output:

Parse error: parse error, unexpected T_IF in C:\INETPUB\WWWROOT\error.php on line 2

As you can see, this includes the path of the web root in the error data.  This is surplus information at best, and at worst, data that could aid an attack against the server.

While this script produces a parse error, it should be noted that default installs of 4.2.1 produce this on such small events as notices as well.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-06-11 18:25 UTC] edink@php.net

If you prefer security through obscurity you can put the following two lines in your php.ini:

expose_php=Off 
display_errors=Off

[2002-06-11 18:45 UTC] mattmurphy at kc dot rr dot com

Reading through php.ini, there are more security comments than lines of configuration, so I would think this would be a default not to error output to the user, at least.  I would be more satisfied if the path of the script were replaced with its name (such as switching "C:\INETPUB\WWWROOT\SOMESCRIPT.PHP" with simply "SOMESCRIPT.PHP", instead (at least in output error info; putting the path in logging would probably be okay).

[2002-06-11 18:55 UTC] sniper@php.net

And if cows could fly we wouldn't need any planes.
Just use the proposed ini options.
And ask further support questions elsewhere. 

Thank you for using PHP.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2023 The PHP Group All rights reserved.	Last updated: Tue Mar 28 10:03:44 2023 UTC