[15393] in bugtraq
Re: PHP 3.0.14 Disclosure via POST requests
daemon@ATHENA.MIT.EDU (Scott)
Tue Jun 20 12:46:08 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <008201bfd7c0$2c5a47b0$0a01a8c0@romracer>
Date: Fri, 16 Jun 2000 13:24:56 -0500
Reply-To: Scott <romracer@MAIL.UTEXAS.EDU>
From: Scott <romracer@MAIL.UTEXAS.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
But hasn't this been a known security issue? Even in higher versions of PHP
I've seen it return full pathnames on errors and warnings. It's something
you just have to be care of or turn off the option. And phpinfo() is a
known security issue as well. DOCUMENT_ROOT has always been a problem if
you aren't careful. It's just a general practice that if you must have a
phpinfo() script somewhere that you give it the most obscure name possible.
Of course it would be better to just not have one in the first place.
Scott Wade
Systems Administrator
Brainwave Productions, LLC
romracer@mail.utexas.edu
----- Original Message -----
From: "Lars Hecking" <lhecking@NMRC.IE>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Thursday, June 15, 2000 6:48 PM
Subject: Re: [BUGTRAQ] PHP 3.0.14 Disclosure via POST requests
A similar disclosure is possible with Horde (www.horde.org) packages.
Horde comes with a test.php3 file which displays server info, including
full path names, through phpinfo(). The fix is to chmod 000 this file
after installation.
The secure.sh script, which should be run after installation and
configuration, has been updated to perform this operation, but only
in the cvs. All versions released so far, including horde-1.2.0-pre12,
are vulnerable.
HAND.
