> The Irony: > > The comment lines directly above the expose_php directive in the default > config file specifically say that it is "no security threat", but having it > enabled opens you to an XSS? Food for thought...
Sorry but this is simply not true. You are only vulnerable if you provide a script that calls phpinfo(); AND(!) have expose_php on. I already said at different places that you cannot blame insecure programming onto the language. There is absolutely NO reason to have a phpinfo() script on a production server, because it reveals too much information. Stefan Esser _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
