Nmap Development mailing list archives

[NSE] PHP version disclosure (OSVDB 12184)

From: Gutek <ange.gutek () gmail com>
Date: Sat, 22 May 2010 11:01:10 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ref: http://osvdb.org/12184

Many webadmins when dealing with PHP and security use several tricks
such as banner falsification etc. But many don't know about an hidden
joke inside PHP : an Easteregg left behind by developpers.
It can be revealed by sending a specialy crafted GET query. What's
interresting is the fact that
- - this Easteregg changes in time,
- - on a multihosting scenario, thousands of web admins are dependant
from a PHP configuration they can not access

So, if we know the different existing eggs and the PHP versions they
were hidded in, we can reveal a kind of information that the webadmin is
not even aware of.
Web Vuln Scanners like Nikto sometimes warn about this : "PHP reveals
potentially sensitive information via certain HTTP requests which
contain specific QUERY strings."

The queries
- -----------

?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 -- shows a modified PHP logo
(gif). That's what the script (attached) tries to fetch.
?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 -- part of the phpinfo(),
shows dev' credits
?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 -- shows the Zend logo

Limitation
- ----------

In php.ini, if the PHP directive expose_php = off, this easteregg is
disabled.

The script
- ----------

It tries to fetch the modified PHP logo by GETting the special query
from the index page.
There are 5 known modified logos as of today, all GIF pictures witch
have their respective 9 first hex digits (right after the GIF89a header)
different from each other.
The script captures it, md5(it) and finaly compares it with already
known signatures.

Nmap scan report for 66.A5.236.132
Host is up (0.12s latency).
PORT   STATE SERVICE
80/tcp open  http
| php-easteregg: This EasterEgg Matches PHP Versions:
| 5.1.4,
|_5.2.0

\\//_ Live long and prosper,
A.G.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAkv3nVUACgkQ3aDTTO0ha7gbSQCffeM4TqX48kt2WukeBDvIQ18g
j+8Ani1aW8hT91zQMLILwUeVxgD7wIKW
=DLZL
-----END PGP SIGNATURE-----

Attachment: php-easteregg.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] PHP version disclosure (OSVDB 12184) Gutek (May 22)
- Re: [NSE] PHP version disclosure (OSVDB 12184) David Fifield (May 27)
  - Re: [NSE] PHP version disclosure (OSVDB 12184) Gutek (May 27)
  - Re: [NSE] PHP version disclosure (OSVDB 12184) Gutek (May 29)
    - Re: [NSE] PHP version disclosure (OSVDB 12184) David Fifield (Jun 18)