Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 28 Jun 2012 13:24:32 +0000
From: Zeev Suraski <zeev@...d.com>
To: Stuart Henderson <stu@...cehopper.org>, "oss-security@...ts.openwall.com"
	<oss-security@...ts.openwall.com>
CC: Kurt Seifried <kseifried@...hat.com>, "security@....net"
	<security@....net>
Subject: RE: Re: PHP information disclosure via easter egg
 ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

> Would you expect a variable described as "Decides whether PHP may expose
> the fact that it is installed on the server" to control whether an anonymous user
> can fetch a list of enabled modules?

I wouldn't, and thankfully it does not.  The list you're seeing has nothing to do with what's enabled or disabled on the server.  It's a build-time list of all the modules that were available in the source tree.  It's completely static for a given version of PHP.  As an example, in the abovementioned URL, you see NSAPI, ISAPI and Apache 2.0 mentioned, although this is an Apache 1.3 server.  We also surely don't have COM and .NET installed on that Linux server either.

This is definitely not a security issue of any kind.

Zeev

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.