ID: 24024
Comment by: grangeway at blueyonder dot co dot uk
Reported By: rich dot fearn at btopenworld dot com
Status: Bogus
Bug Type: *General Issues
Operating System: Linux
PHP Version: 4.3.1
New Comment:
Rasmus, you filter or more convert < to < for some strings, (i.e.
for ~6 strings), but not for _SERVER["argv"].
If it is a debugging tool, then the filtering should be removed from
all strings?
Otherwise surely argv should be handled in the same way as querystring,
_GET['test'] etc etc.
Having inconsistent output of the same string when debugging just
causes confusion.
Previous Comments:
------------------------------------------------------------------------
[2003-06-04 13:06:02] [EMAIL PROTECTED]
phpinfo() is a debugging function. It is not something that should be
publically accessible. Adding filtering to it would make it much less
useful as a debugging tool.
------------------------------------------------------------------------
[2003-06-04 12:42:54] rich dot fearn at btopenworld dot com
I've just received an e-mail about a vulnerability in the phpinfo()
function.
If phpinfo() is used in a page on a web site, a parameter containing
script can be passed to that page; that script will be executed.
For example, with the page:
<?php
phpinfo();
?>
stored as info.php, going to
http://<website>/info.php?test=<script>alert('Hello')</script>
will cause the script to be executed, resulting in a pop-up containing
the message "Hello".
The vulnerability is due to the fact that parameters are not encoded
when they are output in the
_SERVER["argv"]
section of phpinfo()'s output. (In the other parts of the output where
parameters are displayed, < and > characters are converted to the &
entities.)
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=24024&edit=1
