Bug #55497 [Com]: Credits URL Security ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

Wed, 24 Oct 2012 12:11:11 -0700 

Edit report at https://bugs.php.net/bug.php?id=55497&edit=1

 ID:                 55497
 Comment by:         joaoprabelo at gmail dot com
 Reported by:        mhaisley at gmail dot com
 Summary:            Credits URL Security
                     ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
 Status:             Not a bug
 Type:               Bug
 Package:            PHP options/info functions
 Operating System:   Any
 PHP Version:        Irrelevant
 Block user comment: N
 Private report:     N

 New Comment:

nikic, but now I know when PHP is 5.5 or higher easily. Or isn't?


Previous Comments:
------------------------------------------------------------------------
[2012-10-10 17:33:17] [email protected]

@ian_dunn: The logo GUIDs have been removed in master. So presumably this issue 
(whether it actually is one or not) will not exist anymore in PHP 5.5.

------------------------------------------------------------------------
[2012-10-10 17:26:03] ian_dunn at yahoo dot com

I agree with mhaisley, this is a security vulnerability and should be disabled 
by 
default. Many PCI compliance scanners will fail a site if it is turned on.

I realize that it's not a major vulnerability, but it does give attackers 
information that could help them compromise a system. What are the benefits of 
having it enabled by default? I can't think of any significant ones. Whatever 
benefits there are, they'd have to outweigh the downsides, and that doesn't 
seem 
likely in this case.

------------------------------------------------------------------------
[2012-09-12 06:42:41] support at ecommercewebsites dot com dot au

Nope - this is not a bug.
Just disable it in your config file.

------------------------------------------------------------------------
[2011-08-25 03:27:29] mhaisley at gmail dot com

Sorry, but it is a real issue. 

It should be disabled by default.

------------------------------------------------------------------------
[2011-08-25 00:19:08] [email protected]

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Attackers can easily brute force without knowing the version. But if youfear 
this makes things insecure you can set expose_php=Off in php.ini.

------------------------------------------------------------------------


The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

    https://bugs.php.net/bug.php?id=55497


-- 
Edit this bug report at https://bugs.php.net/bug.php?id=55497&edit=1

Reply via email to