oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

From: Zeev Suraski <zeev () zend com>
Date: Thu, 28 Jun 2012 13:24:32 +0000
Would you expect a variable described as "Decides whether PHP may expose
the fact that it is installed on the server" to control whether an anonymous user
can fetch a list of enabled modules?


I wouldn't, and thankfully it does not.  The list you're seeing has nothing to do with what's enabled or disabled on 
the server.  It's a build-time list of all the modules that were available in the source tree.  It's completely static 
for a given version of PHP.  As an example, in the abovementioned URL, you see NSAPI, ISAPI and Apache 2.0 mentioned, 
although this is an Apache 1.3 server.  We also surely don't have COM and .NET installed on that Linux server either.

This is definitely not a security issue of any kind.

Zeev
Previous By Date Next
Previous By Thread Next

Current thread: