On Thu Jun 05, 2003 at 09:57:20PM +0200, Oden Eriksson wrote: > I found this the other day: > > http://archives.neohapsis.com/archives/bugtraq/2003-06/0027.html > > ..., and I thought I should share this info and a possible fix: > > --- php.ini 2003-01-06 05:40:15.000000000 +0100 > +++ php.ini.oden 2003-06-05 21:58:02.000000000 +0200 > @@ -191,7 +191,7 @@ > ; This directive allows you to disable certain functions for security > reasons. > ; It receives a comma-delimited list of function names. This directive is > ; *NOT* affected by whether Safe Mode is turned On or Off. > -disable_functions = > +disable_functions = phpinfo > > ; Colors for Syntax Highlighting mode. Anything that's acceptable in > ; <font color="??????"> would work.
I'm almost tempted to say we should have this by default. Two things come to mind here (which is why I'm not in a super hurry to fix this thing, and likey will issue an advisory with info on how to correct the problem rather than a new php-ini package): - anyone using phpinfo() and making it publically accessible is insane because it offers more than just XSS problems; the data exposure alone is likely more damaging than any XSS vulns - I dislike putting out updates for config fixes; give me a patch for php itself and you've got yourself an update (although I would hesitate on something as trivial as this) - XSS vulns are so widely in existance and, really, pretty petty in the grand scheme of things that they don't really warrant an update (in my mind) Ok, three things. =) That being said, I'd be more than happy to see this as part of the default php in cooker and Mandrake from this point forward. Obviously, a user can change it after the fact (or, if we decide to leave it, could change it to the above after the fact as well). Of course, people dislike it when I introduce or suggest better security measures, so I suspect the consensus from people will be to leave well enough alone. Although (tip for anyone doing any hosting), one should disable this function globally on a server if you allow others to host web pages on your machine. -- MandrakeSoft Security; http://www.mandrakesecure.net/ Online Security Resource Book; http://linsec.ca/ "lynx -source http://linsec.ca/vdanen.asc | gpg --import" {FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
pgp00000.pgp
Description: PGP signature