php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #18553 phpinfo() allows cross-site scripting
Submitted: 2002-07-24 20:52 UTC Modified: 2002-07-25 04:32 UTC
From: olegpro at operamail dot com Assigned:
Status: Not a bug Package: Feature/Change Request
PHP Version: 4.2.2 OS: Win'2k
Private report: No CVE-ID: None
 [2002-07-24 20:52 UTC] olegpro at operamail dot com
Hi!

phpinfo() is vulnerable to cross-site scripting.
printing of _SERVER["argv"] of is vulnerable.

// phpinfo.php
<?
phpinfo();
?>

http://localhost/phpinfo.php?z=<SCRIPT>alert('Hello world!');</SCRIPT>


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-07-25 04:32 UTC] sniper@php.net
Sorry, but the bug system is not the appropriate forum for asking
support questions. Your problem does not imply a bug in PHP itself.
For a list of more appropriate places to ask for help using PHP,
please visit http://www.php.net/support.php

Thank you for your interest in PHP.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sun May 22 05:05:45 2022 UTC