oss-sec mailing list archives

Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

From: "Oden Eriksson" <oeriksson () mandriva com>
Date: Thu, 28 Jun 2012 19:40:35 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/28/2012 12:13 AM, Pierre Joye wrote:

hi Kurt!

On Thu, Jun 28, 2012 at 7:12 AM, Kurt Seifried
<kseifried () redhat com> wrote:

So simply querying:

?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

e.g.:

http://php.net/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

shows authors, SAPI modules (and their authors) and normal
modules (and their authors), resulting in a significant
information disclosure (version #'s can be narrowed down from the
authors list).

This has already been reported, but no CVE was assigned:

https://bugs.php.net/bug.php?id=55497

It is mentioned in http://php.net/manual/en/ini.core.php however
it is enabled by default:

; Decides whether PHP may expose the fact that it is installed on
the server ; (e.g. by adding its signature to the Web server
header).  It is no security ; threat in any way, but it makes it
possible to determine whether you use PHP ; on your server or
not.

; http://www.php.net/manual/en/ini.core.php#ini.expose-php

expose_php = On


Why would it require a CVE and why is it seen as a security issue?
Sure it could be, like unfiltered input and the like but...

Cheers,


I wasn't asking for a CVE for this issue (no "CVE Request: in
subject), This is more of a place holder/information (oss-security is
read by a lot of security vendors/etc, and is for more than just CVE
assignments) and to make sure people are aware of the issue, since I
wasn't even aware of it until someone pointed it out to me.

Exposing the fact that I am running PHP is one thing. Exposing exactly
which modules I have loaded is quite another.



http://php.net/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

That url does not show loaded modules. One can also use for example:

disable_functions = phpinfo

in /etc/php.ini

So, I guess that's sufficent.

-- 
Regards // Oden Eriksson
Security team manager - Mandriva
CEO NUX AB

Current thread:

PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Kurt Seifried (Jun 27)
- Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Pierre Joye (Jun 27)
  - Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Kurt Seifried (Jun 28)
    - Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Oden Eriksson (Jun 28)
- Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Matthias Weckbecker (Jun 27)
- Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Johannes Schlüter (Jun 28)
  - Re: Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Stuart Henderson (Jun 28)
    - RE: Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Zeev Suraski (Jun 28)
    - Re: Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Kurt Seifried (Jun 28)
    - Re: Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 Rasmus Lerdorf (Jun 28)