Bugtraq mailing list archives
Re: PHP 3.0.14 Disclosure via POST requests
From: romracer () MAIL UTEXAS EDU (Scott)
Date: Fri, 16 Jun 2000 13:24:56 -0500
But hasn't this been a known security issue? Even in higher versions of PHP I've seen it return full pathnames on errors and warnings. It's something you just have to be care of or turn off the option. And phpinfo() is a known security issue as well. DOCUMENT_ROOT has always been a problem if you aren't careful. It's just a general practice that if you must have a phpinfo() script somewhere that you give it the most obscure name possible. Of course it would be better to just not have one in the first place. Scott Wade Systems Administrator Brainwave Productions, LLC romracer () mail utexas edu ----- Original Message ----- From: "Lars Hecking" <lhecking () NMRC IE> To: <BUGTRAQ () SECURITYFOCUS COM> Sent: Thursday, June 15, 2000 6:48 PM Subject: Re: [BUGTRAQ] PHP 3.0.14 Disclosure via POST requests A similar disclosure is possible with Horde (www.horde.org) packages. Horde comes with a test.php3 file which displays server info, including full path names, through phpinfo(). The fix is to chmod 000 this file after installation. The secure.sh script, which should be run after installation and configuration, has been updated to perform this operation, but only in the cvs. All versions released so far, including horde-1.2.0-pre12, are vulnerable. HAND.
Current thread:
- PHP 3.0.14 Disclosure via POST requests H D Moore (Jun 15)
- Re: PHP 3.0.14 Disclosure via POST requests Lars Hecking (Jun 15)
- Re: PHP 3.0.14 Disclosure via POST requests Scott (Jun 16)
- Re: PHP 3.0.14 Disclosure via POST requests Lars Hecking (Jun 15)