Nmap Development mailing list archives
[NSE] PHP version disclosure (OSVDB 12184)
From: Gutek <ange.gutek () gmail com>
Date: Sat, 22 May 2010 11:01:10 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ref: http://osvdb.org/12184 Many webadmins when dealing with PHP and security use several tricks such as banner falsification etc. But many don't know about an hidden joke inside PHP : an Easteregg left behind by developpers. It can be revealed by sending a specialy crafted GET query. What's interresting is the fact that - - this Easteregg changes in time, - - on a multihosting scenario, thousands of web admins are dependant from a PHP configuration they can not access So, if we know the different existing eggs and the PHP versions they were hidded in, we can reveal a kind of information that the webadmin is not even aware of. Web Vuln Scanners like Nikto sometimes warn about this : "PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings." The queries - ----------- ?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 -- shows a modified PHP logo (gif). That's what the script (attached) tries to fetch. ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 -- part of the phpinfo(), shows dev' credits ?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 -- shows the Zend logo Limitation - ---------- In php.ini, if the PHP directive expose_php = off, this easteregg is disabled. The script - ---------- It tries to fetch the modified PHP logo by GETting the special query from the index page. There are 5 known modified logos as of today, all GIF pictures witch have their respective 9 first hex digits (right after the GIF89a header) different from each other. The script captures it, md5(it) and finaly compares it with already known signatures. Nmap scan report for 66.A5.236.132 Host is up (0.12s latency). PORT STATE SERVICE 80/tcp open http | php-easteregg: This EasterEgg Matches PHP Versions: | 5.1.4, |_5.2.0 \\//_ Live long and prosper, A.G. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkv3nVUACgkQ3aDTTO0ha7gbSQCffeM4TqX48kt2WukeBDvIQ18g j+8Ani1aW8hT91zQMLILwUeVxgD7wIKW =DLZL -----END PGP SIGNATURE-----
Attachment:
php-easteregg.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] PHP version disclosure (OSVDB 12184) Gutek (May 22)
- Re: [NSE] PHP version disclosure (OSVDB 12184) David Fifield (May 27)
- Re: [NSE] PHP version disclosure (OSVDB 12184) Gutek (May 27)
- Re: [NSE] PHP version disclosure (OSVDB 12184) Gutek (May 29)
- Re: [NSE] PHP version disclosure (OSVDB 12184) David Fifield (Jun 18)
- Re: [NSE] PHP version disclosure (OSVDB 12184) David Fifield (May 27)