From: rich dot fearn at btopenworld dot com
Operating system: Linux
PHP version: 4.3.1
PHP Bug Type: Unknown/Other Function
Bug description: Vulnerability in phpinfo()
I've just received an e-mail about a vulnerability in the phpinfo()
function.
If phpinfo() is used in a page on a web site, a parameter containing
script can be passed to that page; that script will be executed.
For example, with the page:
<?php
phpinfo();
?>
stored as info.php, going to
http://<website>/info.php?test=<script>alert('Hello')</script>
will cause the script to be executed, resulting in a pop-up containing the
message "Hello".
The vulnerability is due to the fact that parameters are not encoded when
they are output in the
_SERVER["argv"]
section of phpinfo()'s output. (In the other parts of the output where
parameters are displayed, < and > characters are converted to the &
entities.)
--
Edit bug report at http://bugs.php.net/?id=24024&edit=1
--
Try a CVS snapshot: http://bugs.php.net/fix.php?id=24024&r=trysnapshot
Fixed in CVS: http://bugs.php.net/fix.php?id=24024&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=24024&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=24024&r=needtrace
Try newer version: http://bugs.php.net/fix.php?id=24024&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=24024&r=support
Expected behavior: http://bugs.php.net/fix.php?id=24024&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=24024&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=24024&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=24024&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=24024&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=24024&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=24024&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=24024&r=gnused
