ID: 24024 Comment by: grangeway at blueyonder dot co dot uk Reported By: rich dot fearn at btopenworld dot com Status: Bogus Bug Type: *General Issues Operating System: Linux PHP Version: 4.3.1 New Comment:
Rasmus, you filter or more convert < to < for some strings, (i.e. for ~6 strings), but not for _SERVER["argv"]. If it is a debugging tool, then the filtering should be removed from all strings? Otherwise surely argv should be handled in the same way as querystring, _GET['test'] etc etc. Having inconsistent output of the same string when debugging just causes confusion. Previous Comments: ------------------------------------------------------------------------ [2003-06-04 13:06:02] [EMAIL PROTECTED] phpinfo() is a debugging function. It is not something that should be publically accessible. Adding filtering to it would make it much less useful as a debugging tool. ------------------------------------------------------------------------ [2003-06-04 12:42:54] rich dot fearn at btopenworld dot com I've just received an e-mail about a vulnerability in the phpinfo() function. If phpinfo() is used in a page on a web site, a parameter containing script can be passed to that page; that script will be executed. For example, with the page: <?php phpinfo(); ?> stored as info.php, going to http://<website>/info.php?test=<script>alert('Hello')</script> will cause the script to be executed, resulting in a pop-up containing the message "Hello". The vulnerability is due to the fact that parameters are not encoded when they are output in the _SERVER["argv"] section of phpinfo()'s output. (In the other parts of the output where parameters are displayed, < and > characters are converted to the & entities.) ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=24024&edit=1