#19881 [NEW]: phpinfo() Security Problem

Sun, 13 Oct 2002 07:40:04 -0700 

From:             [EMAIL PROTECTED]
Operating system: Win32
PHP version:      4.2.3
PHP Bug Type:     Unknown/Other Function
Bug description:  phpinfo() Security Problem

phpinfo() in PHP 4.2.3 uses a special query string to cause a script to
return the PHP logo.  phpinfo() fails to strip any query string off of the
URI before writing it to the browser.  This opens up two issues, one a
nuisance, and the other a more serious security issue:

--- INFO.PHP ---
<?php phpinfo(); ?>
--- INFO.PHP ---

Yes, I know that's a security risk to allow anonymous users access to
debug information, but this is actually an example of a default script in
many web applications/servers (BadBlue web server, for example).

http://localhost/info.php?";><SCRIPT>alert(document.URL)</SCRIPT>=x

Some browsers will not encode this, and this results in:

<img
src="/info.php?"><SCRIPT>alert(document.URL)</SCRIPT>?=PHPE9568F34-D428-11d2-A769-00AA001ACF42"
border=0 align="right" alt="PHP Logo">

The security issue here is a cross-site scripting exposure -- not only
does PHP fail to strip the query string, it also fails to filter any HTML
entities contained in it.

The nuisance problem is that the ALT tag is displayed, but the script
executes a regular phpinfo(), and returns a bogus image.
-- 
Edit bug report at http://bugs.php.net/?id=19881&edit=1
-- 
Try a CVS snapshot:         http://bugs.php.net/fix.php?id=19881&r=trysnapshot
Fixed in CVS:               http://bugs.php.net/fix.php?id=19881&r=fixedcvs
Fixed in release:           http://bugs.php.net/fix.php?id=19881&r=alreadyfixed
Need backtrace:             http://bugs.php.net/fix.php?id=19881&r=needtrace
Try newer version:          http://bugs.php.net/fix.php?id=19881&r=oldversion
Not developer issue:        http://bugs.php.net/fix.php?id=19881&r=support
Expected behavior:          http://bugs.php.net/fix.php?id=19881&r=notwrong
Not enough info:            http://bugs.php.net/fix.php?id=19881&r=notenoughinfo
Submitted twice:            http://bugs.php.net/fix.php?id=19881&r=submittedtwice
register_globals:           http://bugs.php.net/fix.php?id=19881&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=19881&r=php3
Daylight Savings:           http://bugs.php.net/fix.php?id=19881&r=dst
IIS Stability:              http://bugs.php.net/fix.php?id=19881&r=isapi

Reply via email to