Bug #55497 [Com]: Credits URL Security ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
Edit report at https://bugs.php.net/bug.php?id=55497edit=1 ID: 55497 Comment by: joaoprabelo at gmail dot com Reported by:mhaisley at gmail dot com Summary:Credits URL Security ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C1 Status: Not a bug Type: Bug Package:PHP options/info functions Operating System: Any PHP Version:Irrelevant Block user comment: N Private report: N New Comment: nikic, but now I know when PHP is 5.5 or higher easily. Or isn't? Previous Comments: [2012-10-10 17:33:17] ni...@php.net @ian_dunn: The logo GUIDs have been removed in master. So presumably this issue (whether it actually is one or not) will not exist anymore in PHP 5.5. [2012-10-10 17:26:03] ian_dunn at yahoo dot com I agree with mhaisley, this is a security vulnerability and should be disabled by default. Many PCI compliance scanners will fail a site if it is turned on. I realize that it's not a major vulnerability, but it does give attackers information that could help them compromise a system. What are the benefits of having it enabled by default? I can't think of any significant ones. Whatever benefits there are, they'd have to outweigh the downsides, and that doesn't seem likely in this case. [2012-09-12 06:42:41] support at ecommercewebsites dot com dot au Nope - this is not a bug. Just disable it in your config file. [2011-08-25 03:27:29] mhaisley at gmail dot com Sorry, but it is a real issue. It should be disabled by default. [2011-08-25 00:19:08] johan...@php.net Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php Attackers can easily brute force without knowing the version. But if youfear this makes things insecure you can set expose_php=Off in php.ini. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=55497 -- Edit this bug report at https://bugs.php.net/bug.php?id=55497edit=1
Bug #55497 [Com]: Credits URL Security ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
Edit report at https://bugs.php.net/bug.php?id=55497edit=1 ID: 55497 Comment by: ian_dunn at yahoo dot com Reported by:mhaisley at gmail dot com Summary:Credits URL Security ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C1 Status: Not a bug Type: Bug Package:PHP options/info functions Operating System: Any PHP Version:Irrelevant Block user comment: N Private report: N New Comment: I agree with mhaisley, this is a security vulnerability and should be disabled by default. Many PCI compliance scanners will fail a site if it is turned on. I realize that it's not a major vulnerability, but it does give attackers information that could help them compromise a system. What are the benefits of having it enabled by default? I can't think of any significant ones. Whatever benefits there are, they'd have to outweigh the downsides, and that doesn't seem likely in this case. Previous Comments: [2012-09-12 06:42:41] support at ecommercewebsites dot com dot au Nope - this is not a bug. Just disable it in your config file. [2011-08-25 03:27:29] mhaisley at gmail dot com Sorry, but it is a real issue. It should be disabled by default. [2011-08-25 00:19:08] johan...@php.net Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php Attackers can easily brute force without knowing the version. But if youfear this makes things insecure you can set expose_php=Off in php.ini. [2011-08-24 02:35:55] mhaisley at gmail dot com Description: ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C1 displays php credits, it also displays credits for all modules. This effectively makes it a security issue since it allows an attacker to scan for a specific vulnerable module and then exploit it. Test script: --- http://php.net/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C1 Expected result: ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C1 should be disabled by default, or display generic information only. The current behavior is unacceptable. Actual result: -- Specific information regarding installed modules is displayed. -- Edit this bug report at https://bugs.php.net/bug.php?id=55497edit=1
Bug #55497 [Com]: Credits URL Security ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
Edit report at https://bugs.php.net/bug.php?id=55497edit=1 ID: 55497 Comment by: ni...@php.net Reported by:mhaisley at gmail dot com Summary:Credits URL Security ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C1 Status: Not a bug Type: Bug Package:PHP options/info functions Operating System: Any PHP Version:Irrelevant Block user comment: N Private report: N New Comment: @ian_dunn: The logo GUIDs have been removed in master. So presumably this issue (whether it actually is one or not) will not exist anymore in PHP 5.5. Previous Comments: [2012-10-10 17:26:03] ian_dunn at yahoo dot com I agree with mhaisley, this is a security vulnerability and should be disabled by default. Many PCI compliance scanners will fail a site if it is turned on. I realize that it's not a major vulnerability, but it does give attackers information that could help them compromise a system. What are the benefits of having it enabled by default? I can't think of any significant ones. Whatever benefits there are, they'd have to outweigh the downsides, and that doesn't seem likely in this case. [2012-09-12 06:42:41] support at ecommercewebsites dot com dot au Nope - this is not a bug. Just disable it in your config file. [2011-08-25 03:27:29] mhaisley at gmail dot com Sorry, but it is a real issue. It should be disabled by default. [2011-08-25 00:19:08] johan...@php.net Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php Attackers can easily brute force without knowing the version. But if youfear this makes things insecure you can set expose_php=Off in php.ini. [2011-08-24 02:35:55] mhaisley at gmail dot com Description: ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C1 displays php credits, it also displays credits for all modules. This effectively makes it a security issue since it allows an attacker to scan for a specific vulnerable module and then exploit it. Test script: --- http://php.net/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C1 Expected result: ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C1 should be disabled by default, or display generic information only. The current behavior is unacceptable. Actual result: -- Specific information regarding installed modules is displayed. -- Edit this bug report at https://bugs.php.net/bug.php?id=55497edit=1
Bug #55497 [Com]: Credits URL Security ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
Edit report at https://bugs.php.net/bug.php?id=55497edit=1 ID: 55497 Comment by: support at ecommercewebsites dot com dot au Reported by:mhaisley at gmail dot com Summary:Credits URL Security ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C1 Status: Not a bug Type: Bug Package:PHP options/info functions Operating System: Any PHP Version:Irrelevant Block user comment: N Private report: N New Comment: Nope - this is not a bug. Just disable it in your config file. Previous Comments: [2011-08-25 03:27:29] mhaisley at gmail dot com Sorry, but it is a real issue. It should be disabled by default. [2011-08-25 00:19:08] johan...@php.net Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php Attackers can easily brute force without knowing the version. But if youfear this makes things insecure you can set expose_php=Off in php.ini. [2011-08-24 02:35:55] mhaisley at gmail dot com Description: ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C1 displays php credits, it also displays credits for all modules. This effectively makes it a security issue since it allows an attacker to scan for a specific vulnerable module and then exploit it. Test script: --- http://php.net/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C1 Expected result: ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C1 should be disabled by default, or display generic information only. The current behavior is unacceptable. Actual result: -- Specific information regarding installed modules is displayed. -- Edit this bug report at https://bugs.php.net/bug.php?id=55497edit=1
Bug #55497 [Com]: Credits URL Security ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
Edit report at https://bugs.php.net/bug.php?id=55497edit=1 ID: 55497 Comment by: mhaisley at gmail dot com Reported by:mhaisley at gmail dot com Summary:Credits URL Security ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C1 Status: Bogus Type: Bug Package:PHP options/info functions Operating System: Any PHP Version:Irrelevant Block user comment: N Private report: N New Comment: Sorry, but it is a real issue. It should be disabled by default. Previous Comments: [2011-08-25 00:19:08] johan...@php.net Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php Attackers can easily brute force without knowing the version. But if youfear this makes things insecure you can set expose_php=Off in php.ini. [2011-08-24 02:35:55] mhaisley at gmail dot com Description: ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C1 displays php credits, it also displays credits for all modules. This effectively makes it a security issue since it allows an attacker to scan for a specific vulnerable module and then exploit it. Test script: --- http://php.net/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C1 Expected result: ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C1 should be disabled by default, or display generic information only. The current behavior is unacceptable. Actual result: -- Specific information regarding installed modules is displayed. -- Edit this bug report at https://bugs.php.net/bug.php?id=55497edit=1
