oss-sec mailing list archives
Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
From: Pierre Joye <pierre.php () gmail com>
Date: Thu, 28 Jun 2012 08:13:14 +0200
hi Kurt! On Thu, Jun 28, 2012 at 7:12 AM, Kurt Seifried <kseifried () redhat com> wrote:
So simply querying: ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 e.g.: http://php.net/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 shows authors, SAPI modules (and their authors) and normal modules (and their authors), resulting in a significant information disclosure (version #'s can be narrowed down from the authors list). This has already been reported, but no CVE was assigned: https://bugs.php.net/bug.php?id=55497 It is mentioned in http://php.net/manual/en/ini.core.php however it is enabled by default: ; Decides whether PHP may expose the fact that it is installed on the server ; (e.g. by adding its signature to the Web server header). It is no security ; threat in any way, but it makes it possible to determine whether you use PHP ; on your server or not. ; http://www.php.net/manual/en/ini.core.php#ini.expose-php expose_php = On
Why would it require a CVE and why is it seen as a security issue? Sure it could be, like unfiltered input and the like but... Cheers, -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org
Current thread:
- PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Kurt Seifried (Jun 27)
- Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Pierre Joye (Jun 27)
- Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Kurt Seifried (Jun 28)
- Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Oden Eriksson (Jun 28)
- Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Kurt Seifried (Jun 28)
- Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Matthias Weckbecker (Jun 27)
- Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Johannes Schlüter (Jun 28)
- Re: Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Stuart Henderson (Jun 28)
- RE: Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Zeev Suraski (Jun 28)
- Re: Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Kurt Seifried (Jun 28)
- Re: Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Rasmus Lerdorf (Jun 28)
- Re: Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Stuart Henderson (Jun 28)
- Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Pierre Joye (Jun 27)