ID: 24024
Comment by: rick_g22 at yahoo dot com
Reported By: rich dot fearn at btopenworld dot com
Status: Bogus
Bug Type: *General Issues
Operating System: Linux
PHP Version: 4.3.1
New Comment:
Well, some web hosting companies provide public access to phpinfo in
/phpinfo.php by default. If phpinfo() has some vulnerability, someone
could exploit it in the case.
Anyway, I can see that this could be at most just another cross-site
scripting bug (inserting javascript into PHP's output), so I see no
need to fix this "bug".
Am I right?
Previous Comments:
------------------------------------------------------------------------
[2003-06-04 13:06:02] [EMAIL PROTECTED]
phpinfo() is a debugging function. It is not something that should be
publically accessible. Adding filtering to it would make it much less
useful as a debugging tool.
------------------------------------------------------------------------
[2003-06-04 12:42:54] rich dot fearn at btopenworld dot com
I've just received an e-mail about a vulnerability in the phpinfo()
function.
If phpinfo() is used in a page on a web site, a parameter containing
script can be passed to that page; that script will be executed.
For example, with the page:
<?php
phpinfo();
?>
stored as info.php, going to
http://<website>/info.php?test=<script>alert('Hello')</script>
will cause the script to be executed, resulting in a pop-up containing
the message "Hello".
The vulnerability is due to the fact that parameters are not encoded
when they are output in the
_SERVER["argv"]
section of phpinfo()'s output. (In the other parts of the output where
parameters are displayed, < and > characters are converted to the &
entities.)
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=24024&edit=1
