ID: 24024 Updated by: [EMAIL PROTECTED] Reported By: rich dot fearn at btopenworld dot com -Status: Open +Status: Bogus Bug Type: Unknown/Other Function Operating System: Linux PHP Version: 4.3.1 New Comment:
phpinfo() is a debugging function. It is not something that should be publically accessible. Adding filtering to it would make it much less useful as a debugging tool. Previous Comments: ------------------------------------------------------------------------ [2003-06-04 12:42:54] rich dot fearn at btopenworld dot com I've just received an e-mail about a vulnerability in the phpinfo() function. If phpinfo() is used in a page on a web site, a parameter containing script can be passed to that page; that script will be executed. For example, with the page: <?php phpinfo(); ?> stored as info.php, going to http://<website>/info.php?test=<script>alert('Hello')</script> will cause the script to be executed, resulting in a pop-up containing the message "Hello". The vulnerability is due to the fact that parameters are not encoded when they are output in the _SERVER["argv"] section of phpinfo()'s output. (In the other parts of the output where parameters are displayed, < and > characters are converted to the & entities.) ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=24024&edit=1