oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

From: Stuart Henderson <stu () spacehopper org>
Date: Thu, 28 Jun 2012 14:15:44 +0100
On 2012/06/28 12:34, Johannes Schlüter wrote:

Hi,

On Wed, 2012-06-27 at 23:12 -0600, Kurt Seifried wrote:

http://php.net/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

shows authors, SAPI modules (and their authors) and normal modules
(and their authors), resulting in a significant information disclosure
(version #'s can be narrowed down from the authors list).


I have barely seen attackers actually trying to figure out the version
number. 99% are directly trying to exploit known vectors using some
scripts. And to get the version number there's a way simpler way, also
controlled using the same php.ini setting:

    $ echo "HEAD / HTTP/1.0\n" | nc www.php.net 80 | grep PHP
    Server: Apache/1.3.41 (Unix) PHP/5.2.17
    X-Powered-By: PHP/5.2.17


Would you expect a variable described as "Decides whether PHP may
expose the fact that it is installed on the server" to control
whether an anonymous user can fetch a list of enabled modules?
Previous By Date Next
Previous By Thread Next

Current thread: