php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #55497 Credits URL Security ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
Submitted: 2011-08-24 02:35 UTC Modified: 2011-08-25 00:19 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: mhaisley at gmail dot com Assigned:
Status: Not a bug Package: PHP options/info functions
PHP Version: Irrelevant OS: Any
Private report: No CVE-ID: None
 [2011-08-24 02:35 UTC] mhaisley at gmail dot com
Description:
------------
?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 displays php credits, it also displays 
credits for all modules.

This effectively makes it a security issue since it allows an attacker to scan for 
a specific vulnerable module and then exploit it. 

Test script:
---------------
http://php.net/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

Expected result:
----------------
?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 should be disabled by default, or 
display generic information only.   The current behavior is unacceptable. 

Actual result:
--------------
Specific information regarding installed modules is displayed. 

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-08-25 00:19 UTC] johannes@php.net
-Status: Open +Status: Bogus
 [2011-08-25 00:19 UTC] johannes@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Attackers can easily brute force without knowing the version. But if youfear this makes things insecure you can set expose_php=Off in php.ini.
 [2011-08-25 03:27 UTC] mhaisley at gmail dot com
Sorry, but it is a real issue. 

It should be disabled by default.
 [2012-09-12 06:42 UTC] support at ecommercewebsites dot com dot au
Nope - this is not a bug.
Just disable it in your config file.
 [2012-10-10 17:26 UTC] ian_dunn at yahoo dot com
I agree with mhaisley, this is a security vulnerability and should be disabled by 
default. Many PCI compliance scanners will fail a site if it is turned on.

I realize that it's not a major vulnerability, but it does give attackers 
information that could help them compromise a system. What are the benefits of 
having it enabled by default? I can't think of any significant ones. Whatever 
benefits there are, they'd have to outweigh the downsides, and that doesn't seem 
likely in this case.
 [2012-10-10 17:33 UTC] nikic@php.net
@ian_dunn: The logo GUIDs have been removed in master. So presumably this issue (whether it actually is one or not) will not exist anymore in PHP 5.5.
 [2012-10-24 19:10 UTC] joaoprabelo at gmail dot com
nikic, but now I know when PHP is 5.5 or higher easily. Or isn't?
 [2016-02-01 15:58 UTC] shadowsiam8 at gmail dot com
That's really BS, what's the point of having those info available? If the server owner what's to know about PHP stuff they can simply use the already know phpinfo(). What a waste of resources having it to process such useless page. I may not be a bug, but it's a bad design choice then. I got shocked when I found out about the param and realized that it was working in a website of mine, where I don't have access to php.ini then I'm not sure if I can disable such option. Fix... err... CHANGE it now! And I don't mean simply making it disabled by default, I mean scratching it out for good.
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Sun Oct 21 06:01:26 2018 UTC