Edit report at https://bugs.php.net/bug.php?id=55497&edit=1
ID: 55497
Comment by: ian_dunn at yahoo dot com
Reported by: mhaisley at gmail dot com
Summary: Credits URL Security
?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
Status: Not a bug
Type: Bug
Package: PHP options/info functions
Operating System: Any
PHP Version: Irrelevant
Block user comment: N
Private report: N
New Comment:
I agree with mhaisley, this is a security vulnerability and should be disabled
by
default. Many PCI compliance scanners will fail a site if it is turned on.
I realize that it's not a major vulnerability, but it does give attackers
information that could help them compromise a system. What are the benefits of
having it enabled by default? I can't think of any significant ones. Whatever
benefits there are, they'd have to outweigh the downsides, and that doesn't
seem
likely in this case.
Previous Comments:
------------------------------------------------------------------------
[2012-09-12 06:42:41] support at ecommercewebsites dot com dot au
Nope - this is not a bug.
Just disable it in your config file.
------------------------------------------------------------------------
[2011-08-25 03:27:29] mhaisley at gmail dot com
Sorry, but it is a real issue.
It should be disabled by default.
------------------------------------------------------------------------
[2011-08-25 00:19:08] johan...@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php
Attackers can easily brute force without knowing the version. But if youfear
this makes things insecure you can set expose_php=Off in php.ini.
------------------------------------------------------------------------
[2011-08-24 02:35:55] mhaisley at gmail dot com
Description:
------------
?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 displays php credits, it also
displays
credits for all modules.
This effectively makes it a security issue since it allows an attacker to scan
for
a specific vulnerable module and then exploit it.
Test script:
---------------
http://php.net/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
Expected result:
----------------
?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 should be disabled by default, or
display generic information only. The current behavior is unacceptable.
Actual result:
--------------
Specific information regarding installed modules is displayed.
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=55497&edit=1
