PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So simply querying:

?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

e.g.:

http://php.net/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

shows authors, SAPI modules (and their authors) and normal modules
(and their authors), resulting in a significant information disclosure
(version #'s can be narrowed down from the authors list).

This has already been reported, but no CVE was assigned:

https://bugs.php.net/bug.php?id=55497

It is mentioned in http://php.net/manual/en/ini.core.php however it is
enabled by default:

; Decides whether PHP may expose the fact that it is installed on the
server
; (e.g. by adding its signature to the Web server header).  It is no
security
; threat in any way, but it makes it possible to determine whether you
use PHP
; on your server or not.

; http://www.php.net/manual/en/ini.core.php#ini.expose-php

expose_php = On



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP6+fUAAoJEBYNRVNeJnmTk5UQAJebKDKDxL/7HWz3rPcgonLl
+45EykI+EPgH2dTmPk1vImMa+o074TgPdZYgsupDZc2jiHkyK8qo29zV3VZgg0Gk
U8o4V1sZbt/dHiwZYagPOn4zz5A9Z+QNgnWiNCD4FZyWIBRDzWRrqfrHUjmHKPC1
f50OHEvm1Gsu05jchyH8klj1MlIeLN86ZzlONieDU6nf8i93qLSd6R9EK/HpsET7
6OMyrLlRNECiozruGhkCx7Eb0B1kjKESnwhiTWJh3xmnyK4ec2iICKvD3oOl7cFm
FwXl59Iy41gpaHQW6qGyWSp942pLcQjWxixgFapJaqmnJyvE94OMdYr/dsOBHpo/
329V66HBEFqIeC3tOLWVdKoor0EzRWbSerBbybyYhge48r3Ofn+QOKk8+1Oo2rpw
AG7shGxDVCoAG77liMP7uKpFSnhVaBQTpKmqP16ca0e6IeqgJJKKUaj/ZFzyLVdV
KvbhzPhHPG9vmjHtfgj1DRxQop4O2uVzvPNtXw/H0F8MqFNCpT/P4BQ5uXYPBqAE
YdOAiS0hbdd5SRwRwLRXFRnbz14o8td36xRg1OcngPnaAZ4fnA/1xAtlDNHutUbZ
OxNdpX0q2RfcqdXyiLoNp0n8BK+2cpNB/2yDvpolwyxKAfoVL5whgxKc52FzTe6l
BrJsFUQkSUq+niiiaE7U
=Xv+O
-----END PGP SIGNATURE-----