From: rich dot fearn at btopenworld dot com Operating system: Linux PHP version: 4.3.1 PHP Bug Type: Unknown/Other Function Bug description: Vulnerability in phpinfo()
I've just received an e-mail about a vulnerability in the phpinfo() function. If phpinfo() is used in a page on a web site, a parameter containing script can be passed to that page; that script will be executed. For example, with the page: <?php phpinfo(); ?> stored as info.php, going to http://<website>/info.php?test=<script>alert('Hello')</script> will cause the script to be executed, resulting in a pop-up containing the message "Hello". The vulnerability is due to the fact that parameters are not encoded when they are output in the _SERVER["argv"] section of phpinfo()'s output. (In the other parts of the output where parameters are displayed, < and > characters are converted to the & entities.) -- Edit bug report at http://bugs.php.net/?id=24024&edit=1 -- Try a CVS snapshot: http://bugs.php.net/fix.php?id=24024&r=trysnapshot Fixed in CVS: http://bugs.php.net/fix.php?id=24024&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=24024&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=24024&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=24024&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=24024&r=support Expected behavior: http://bugs.php.net/fix.php?id=24024&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=24024&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=24024&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=24024&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=24024&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=24024&r=dst IIS Stability: http://bugs.php.net/fix.php?id=24024&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=24024&r=gnused