#24024 [Bgs]: Vulnerability in phpinfo()

Sat, 04 Sep 2004 13:00:58 -0700 

 ID:               24024
 Updated by:       [EMAIL PROTECTED]
 Reported By:      rich dot fearn at btopenworld dot com
 Status:           Bogus
 Bug Type:         *General Issues
 Operating System: Linux
 PHP Version:      4.3.1
 New Comment:

Do you realize that version 4.3.1 is a year and a half old?  I just had
a look at the current code to see what it did and _SERVER is escaped the
same way everything else is.


Previous Comments:
------------------------------------------------------------------------

[2004-08-08 12:40:18] grangeway at blueyonder dot co dot uk

Rasmus, you filter or more convert < to &lt; for some strings, (i.e.
for ~6 strings), but not for _SERVER["argv"].

If it is a debugging tool, then the filtering should be removed from
all strings? 

Otherwise surely argv should be handled in the same way as querystring,
_GET['test'] etc etc.

Having inconsistent output of the same string when debugging just
causes confusion.

------------------------------------------------------------------------

[2003-06-04 13:06:02] [EMAIL PROTECTED]

phpinfo() is a debugging function.  It is not something that should be
publically accessible.  Adding filtering to it would make it much less
useful as a debugging tool.

------------------------------------------------------------------------

[2003-06-04 12:42:54] rich dot fearn at btopenworld dot com

I've just received an e-mail about a vulnerability in the phpinfo()
function.

If phpinfo() is used in a page on a web site, a parameter containing
script can be passed to that page; that script will be executed.

For example, with the page:

<?php
phpinfo();
?>

stored as info.php, going to

http://<website>/info.php?test=<script>alert('Hello')</script>

will cause the script to be executed, resulting in a pop-up containing
the message "Hello".

The vulnerability is due to the fact that parameters are not encoded
when they are output in the 

_SERVER["argv"]

section of phpinfo()'s output. (In the other parts of the output where
parameters are displayed, < and > characters are converted to the &
entities.)

------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=24024&edit=1

Reply via email to