ID: 19881 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Open +Status: Feedback -Bug Type: Unknown/Other Function +Bug Type: *General Issues Operating System: Win32 PHP Version: 4.2.3 New Comment:
If I understood your concern correctly, only thing you have to do is to set 'expose_php=off' in your php.ini file. Previous Comments: ------------------------------------------------------------------------ [2002-10-12 18:16:16] [EMAIL PROTECTED] phpinfo() in PHP 4.2.3 uses a special query string to cause a script to return the PHP logo. phpinfo() fails to strip any query string off of the URI before writing it to the browser. This opens up two issues, one a nuisance, and the other a more serious security issue: --- INFO.PHP --- <?php phpinfo(); ?> --- INFO.PHP --- Yes, I know that's a security risk to allow anonymous users access to debug information, but this is actually an example of a default script in many web applications/servers (BadBlue web server, for example). http://localhost/info.php?";><SCRIPT>alert(document.URL)</SCRIPT>=x Some browsers will not encode this, and this results in: <img src="/info.php?"><SCRIPT>alert(document.URL)</SCRIPT>?=PHPE9568F34-D428-11d2-A769-00AA001ACF42" border=0 align="right" alt="PHP Logo"> The security issue here is a cross-site scripting exposure -- not only does PHP fail to strip the query string, it also fails to filter any HTML entities contained in it. The nuisance problem is that the ALT tag is displayed, but the script executes a regular phpinfo(), and returns a bogus image. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=19881&edit=1
