ID: 24024
Updated by: [EMAIL PROTECTED]
Reported By: rich dot fearn at btopenworld dot com
-Status: Open
+Status: Bogus
Bug Type: Unknown/Other Function
Operating System: Linux
PHP Version: 4.3.1
New Comment:
phpinfo() is a debugging function. It is not something that should be
publically accessible. Adding filtering to it would make it much less
useful as a debugging tool.
Previous Comments:
------------------------------------------------------------------------
[2003-06-04 12:42:54] rich dot fearn at btopenworld dot com
I've just received an e-mail about a vulnerability in the phpinfo()
function.
If phpinfo() is used in a page on a web site, a parameter containing
script can be passed to that page; that script will be executed.
For example, with the page:
<?php
phpinfo();
?>
stored as info.php, going to
http://<website>/info.php?test=<script>alert('Hello')</script>
will cause the script to be executed, resulting in a pop-up containing
the message "Hello".
The vulnerability is due to the fact that parameters are not encoded
when they are output in the
_SERVER["argv"]
section of phpinfo()'s output. (In the other parts of the output where
parameters are displayed, < and > characters are converted to the &
entities.)
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=24024&edit=1
