Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 28 Jun 2012 19:40:35 +0200
From: "Oden Eriksson" <oeriksson@...driva.com>
To: oss-security@...ts.openwall.com
Subject: Re: PHP information disclosure via easter egg
 ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 06/28/2012 12:13 AM, Pierre Joye wrote:
>> hi Kurt!
>>
>> On Thu, Jun 28, 2012 at 7:12 AM, Kurt Seifried
>> <kseifried@...hat.com> wrote:
>>
>>> So simply querying:
>>>
>>> ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
>>>
>>> e.g.:
>>>
>>> http://php.net/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
>>>
>>> shows authors, SAPI modules (and their authors) and normal
>>> modules (and their authors), resulting in a significant
>>> information disclosure (version #'s can be narrowed down from the
>>> authors list).
>>>
>>> This has already been reported, but no CVE was assigned:
>>>
>>> https://bugs.php.net/bug.php?id=55497
>>>
>>> It is mentioned in http://php.net/manual/en/ini.core.php however
>>> it is enabled by default:
>>>
>>> ; Decides whether PHP may expose the fact that it is installed on
>>> the server ; (e.g. by adding its signature to the Web server
>>> header).  It is no security ; threat in any way, but it makes it
>>> possible to determine whether you use PHP ; on your server or
>>> not.
>>>
>>> ; http://www.php.net/manual/en/ini.core.php#ini.expose-php
>>>
>>> expose_php = On
>>
>> Why would it require a CVE and why is it seen as a security issue?
>> Sure it could be, like unfiltered input and the like but...
>>
>> Cheers,
>
> I wasn't asking for a CVE for this issue (no "CVE Request: in
> subject), This is more of a place holder/information (oss-security is
> read by a lot of security vendors/etc, and is for more than just CVE
> assignments) and to make sure people are aware of the issue, since I
> wasn't even aware of it until someone pointed it out to me.
>
> Exposing the fact that I am running PHP is one thing. Exposing exactly
> which modules I have loaded is quite another.


http://php.net/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

That url does not show loaded modules. One can also use for example:

disable_functions = phpinfo

in /etc/php.ini

So, I guess that's sufficent.

-- 
Regards // Oden Eriksson
Security team manager - Mandriva
CEO NUX AB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.