ID: 19881 Comment by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Feedback Bug Type: *General Issues Operating System: Win32 PHP Version: 4.2.3 New Comment:
That setting does indeed eliminate the image tag bug. It could be used as a temporary workaround for this issue. The correct behavior would be for PHP to eradicate the query string before using it in a URL. Previous Comments: ------------------------------------------------------------------------ [2002-10-12 22:42:53] [EMAIL PROTECTED] If I understood your concern correctly, only thing you have to do is to set 'expose_php=off' in your php.ini file. ------------------------------------------------------------------------ [2002-10-12 18:16:16] [EMAIL PROTECTED] phpinfo() in PHP 4.2.3 uses a special query string to cause a script to return the PHP logo. phpinfo() fails to strip any query string off of the URI before writing it to the browser. This opens up two issues, one a nuisance, and the other a more serious security issue: --- INFO.PHP --- <?php phpinfo(); ?> --- INFO.PHP --- Yes, I know that's a security risk to allow anonymous users access to debug information, but this is actually an example of a default script in many web applications/servers (BadBlue web server, for example). http://localhost/info.php?";><SCRIPT>alert(document.URL)</SCRIPT>=x Some browsers will not encode this, and this results in: <img src="/info.php?"><SCRIPT>alert(document.URL)</SCRIPT>?=PHPE9568F34-D428-11d2-A769-00AA001ACF42" border=0 align="right" alt="PHP Logo"> The security issue here is a cross-site scripting exposure -- not only does PHP fail to strip the query string, it also fails to filter any HTML entities contained in it. The nuisance problem is that the ALT tag is displayed, but the script executes a regular phpinfo(), and returns a bogus image. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=19881&edit=1
