Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

[Pierre Joye <pierre.php () gmail com>]

hi Kurt!

On Thu, Jun 28, 2012 at 7:12 AM, Kurt Seifried <kseifried () redhat com> wrote:

> So simply querying:
>
> ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
>
> e.g.:
>
> http://php.net/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
>
> shows authors, SAPI modules (and their authors) and normal modules
> (and their authors), resulting in a significant information disclosure
> (version #'s can be narrowed down from the authors list).
>
> This has already been reported, but no CVE was assigned:
>
> https://bugs.php.net/bug.php?id=55497
>
> It is mentioned in http://php.net/manual/en/ini.core.php however it is
> enabled by default:
>
> ; Decides whether PHP may expose the fact that it is installed on the
> server
> ; (e.g. by adding its signature to the Web server header).  It is no
> security
> ; threat in any way, but it makes it possible to determine whether you
> use PHP
> ; on your server or not.
>
> ; http://www.php.net/manual/en/ini.core.php#ini.expose-php
>
> expose_php = On

Why would it require a CVE and why is it seen as a security issue?
Sure it could be, like unfiltered input and the like but...

Cheers,
-- 
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org