Bugtraq mailing list archives
Re: PHP 3.0.14 Disclosure via POST requests
From: lhecking () NMRC IE (Lars Hecking)
Date: Fri, 16 Jun 2000 00:48:47 +0100
I noticed some not-so-good behavior in PHP 3.0.14 when dealing with POST requests that do not contain a content-type header in the request (illegal). The server will return the page anyways, but the first line will be a PHP warning message containing the full path to that file.
A similar disclosure is possible with Horde (www.horde.org) packages. Horde comes with a test.php3 file which displays server info, including full path names, through phpinfo(). The fix is to chmod 000 this file after installation. The secure.sh script, which should be run after installation and configuration, has been updated to perform this operation, but only in the cvs. All versions released so far, including horde-1.2.0-pre12, are vulnerable. HAND.
Current thread:
- PHP 3.0.14 Disclosure via POST requests H D Moore (Jun 15)
- Re: PHP 3.0.14 Disclosure via POST requests Lars Hecking (Jun 15)
- Re: PHP 3.0.14 Disclosure via POST requests Scott (Jun 16)
- Re: PHP 3.0.14 Disclosure via POST requests Lars Hecking (Jun 15)