[15372] in bugtraq
Re: PHP 3.0.14 Disclosure via POST requests
daemon@ATHENA.MIT.EDU (Lars Hecking)
Fri Jun 16 14:22:12 2000
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20000616004847.A18672@nmrc.ie>
Date: Fri, 16 Jun 2000 00:48:47 +0100
Reply-To: Lars Hecking <lhecking@NMRC.IE>
From: Lars Hecking <lhecking@NMRC.IE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <39495707.50AFF6EA@secureaustin.com>; from hdm@SECUREAUSTIN.COM
on Thu, Jun 15, 2000 at 05:21:59PM -0500
> I noticed some not-so-good behavior in PHP 3.0.14 when dealing with POST
> requests that do not contain a content-type header in the request
> (illegal). The server will return the page anyways, but the first line
> will be a PHP warning message containing the full path to that file.
A similar disclosure is possible with Horde (www.horde.org) packages.
Horde comes with a test.php3 file which displays server info, including
full path names, through phpinfo(). The fix is to chmod 000 this file
after installation.
The secure.sh script, which should be run after installation and
configuration, has been updated to perform this operation, but only
in the cvs. All versions released so far, including horde-1.2.0-pre12,
are vulnerable.
HAND.
