[30356] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: PHP XSS exploit in phpinfo()

daemon@ATHENA.MIT.EDU (Daniel Naber)
Wed Jun 4 18:12:15 2003

From: Daniel Naber <daniel.naber@t-online.de>
To: silent needle <silentneedle@hotmail.com>
Date: Wed, 4 Jun 2003 21:05:15 +0200
In-Reply-To: <20030603133007.29207.qmail@www.securityfocus.com>
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <200306042105.15693@danielnaber.de>

On Tuesday 03 June 2003 15:30, silent needle wrote:

> A: BACKGROUND(from php.net)
> int phpinfo ( [int what])
> Outputs a large amount of information about the current state of PHP.

And because of that amount of information it's a security issue if 
phpinfo() is publically available at all, not just because you can do XSS 
with it. (Of course it should be fixed anyway.)

Regards
 Daniel

-- 
http://www.danielnaber.de


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[30356] in bugtraq

Re: PHP XSS exploit in phpinfo()

daemon@ATHENA.MIT.EDU (Daniel Naber)Wed Jun 4 18:12:15 2003

daemon@ATHENA.MIT.EDU (Daniel Naber)
Wed Jun 4 18:12:15 2003