Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







Bugtraq: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()

Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()

From: Stefan Esser <sesser_at_hardened-php.net>
Date: Mon, 31 Oct 2005 14:33:22 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                        Hardened-PHP Project
                        www.hardened-php.net

                      -= Security Advisory =-

     Advisory: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()
 Release Date: 2005/10/31
Last Modified: 2005/10/31
       Author: Stefan Esser [sesser_at_hardened-php.net]

  Application: PHP4 <= 4.4.0
               PHP5 <= 5.0.5
     Severity: A Cross Site Scripting (XSS) Vulnerability in phpinfo()
               could f.e. lead to cookie data exposure if an info
               script is left on a production server.
         Risk: Low
Vendor Status: Vendor has released a bugfixed PHP 4 version
   References: http://www.hardened-php.net/advisory_182005.77.html

Overview:

   PHP is a widely-used general-purpose scripting language that is
   especially suited for Web development and can be embedded into HTML.

   During the development of the Hardening-Patch which adds security
   hardening features to the PHP codebase, several vulnerabilities
   within PHP were discovered. This advisory describes one of these
   flaws concerning a weakness in the phpinfo() function, which allows
   Cross Site Scripting (XSS).

Details:
   
   The phpinfo() function outputs a large amount of information about
   the current state of PHP. This includes information about PHP
   compilation options and extensions, the PHP version, server
   information and environment (if compiled as a module), the PHP
   environment, OS version information, paths, master and local
   values of configuration options and request variables, HTTP
   headers, and the PHP License.
   
   Because phpinfo() leaks a lot of information to the viewer it is
   not recommended to leave a script executing phpinfo() on a
   production server. However in reality phpinfo() scripts are left
   open on a lot of servers. While this is already bad enough, there
   is also a problem when request variables of a certain form are
   displayed. With a properly crafted URL, that contains a stacked
   array assignment it is f.e. possible to inject HTML code into the
   output of phpinfo(), which could result in the leakage of domain
   cookies (f.e. session identifiers).

Proof of Concept:

   The Hardened-PHP project is not going to release exploits for any
   of these vulnerabilities to the public.

Recommendation:

   It is strongly recommended to never leave phpinfo() scripts on
   production servers, additionally it is recommended to upgrade to
   the new PHP-Releases as soon as possible, because it also fixes
   a few vulnerabilities, that are rated critical. Finally we always
   recommend to run PHP with the Hardening-Patch applied.

GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1

Copyright 2005 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFDZhz7RDkUzAqGSqERAt9xAJ9n80d64fyNFyeWWwEVnsHfuyjE8wCeNgx3
OhyWy37m+0oH/xv6yIcNaCs=
=X39u
-----END PGP SIGNATURE-----
Received on Oct 31 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]