php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #19881 phpinfo() Security Problem
Submitted: 2002-10-12 18:16 UTC Modified: 2002-10-13 21:38 UTC
From: mattmurphy at kc dot rr dot com Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 4.2.3 OS: Win32
Private report: No CVE-ID: None
 [2002-10-12 18:16 UTC] mattmurphy at kc dot rr dot com
phpinfo() in PHP 4.2.3 uses a special query string to cause a script to return the PHP logo.  phpinfo() fails to strip any query string off of the URI before writing it to the browser.  This opens up two issues, one a nuisance, and the other a more serious security issue:

--- INFO.PHP ---
<?php phpinfo(); ?>
--- INFO.PHP ---

Yes, I know that's a security risk to allow anonymous users access to debug information, but this is actually an example of a default script in many web applications/servers (BadBlue web server, for example).

http://localhost/info.php?"><SCRIPT>alert(document.URL)</SCRIPT>=x

Some browsers will not encode this, and this results in:

<img src="/info.php?"><SCRIPT>alert(document.URL)</SCRIPT>?=PHPE9568F34-D428-11d2-A769-00AA001ACF42" border=0 align="right" alt="PHP Logo">

The security issue here is a cross-site scripting exposure -- not only does PHP fail to strip the query string, it also fails to filter any HTML entities contained in it.

The nuisance problem is that the ALT tag is displayed, but the script executes a regular phpinfo(), and returns a bogus image.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-10-12 22:42 UTC] sniper@php.net
If I understood your concern correctly, only thing you
have to do is to set 'expose_php=off' in your php.ini file.

 [2002-10-12 23:54 UTC] mattmurphy at kc dot rr dot com
That setting does indeed eliminate the image tag bug.  It could be used as a temporary workaround for this issue.  The correct behavior would be for PHP to eradicate the query string before using it in a URL.
 [2002-10-13 21:38 UTC] sniper@php.net
This is the solution, not workaround..

 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Jul 31 03:01:23 2021 UTC