Re: PHP 3.0.14 Disclosure via POST requests

[romracer () MAIL UTEXAS EDU (Scott)]

But hasn't this been a known security issue?  Even in higher versions of PHP
I've seen it return full pathnames on errors and warnings.  It's something
you just have to be care of or turn off the option.  And phpinfo() is a
known security issue as well.  DOCUMENT_ROOT has always been a problem if
you aren't careful.  It's just a general practice that if you must have a
phpinfo() script somewhere that you give it the most obscure name possible.

Of course it would be better to just not have one in the first place.

Scott Wade
Systems Administrator
Brainwave Productions, LLC
romracer () mail utexas edu

----- Original Message -----
From: "Lars Hecking" <lhecking () NMRC IE>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Thursday, June 15, 2000 6:48 PM
Subject: Re: [BUGTRAQ] PHP 3.0.14 Disclosure via POST requests

 A similar disclosure is possible with Horde (www.horde.org) packages.

 Horde comes with a test.php3 file which displays server info, including
 full path names, through phpinfo(). The fix is to chmod 000 this file
 after installation.

 The secure.sh script, which should be run after installation and
 configuration, has been updated to perform this operation, but only
 in the cvs. All versions released so far, including horde-1.2.0-pre12,
 are vulnerable.

 HAND.