Vulnerability

    PHP

Affected

    PHP 3.0.14

Description

    H D Moore found following.   He noticed some not-so-good  behavior
    in PHP 3.0.14 when dealing with POST requests that do not  contain
    a content-type header in the  request (illegal).  The server  will
    return the page anyways, but the first line will be a PHP  warning
    message  containing  the  full  path   to  that  file.   The   PHP
    developers  have  _not_  been  notified  because  the bug (?) only
    appears  in  older  versions  of  thier  software  (4.0  has  been
    released)  and   the  fact   that  path   disclosure  is   a  weak
    vulnerability by itself.

    A similar disclosure is possible with Horde packages.  Horde comes
    with a test.php3 file  which displays server info,  including full
    path names, through phpinfo().  The fix is to chmod 000 this  file
    after installation.

Solution

    Disabling PHP's warning messages can be done by changing the  line
    in php.ini reading:

        display_errors  =       On      ; Print out errors (as a part of the HTML script)

    to:

        display_errors  =       Off      ; Print out errors (as a part of the HTML script)

    and restarting the webserver.

    The secure.sh script, which  should be run after  installation and
    configuration, has  been updated  to perform  this operation,  but
    only  in  the  cvs.  All  versions  released  so  far,   including
    horde-1.2.0-pre12, are vulnerable.

    DOCUMENT_ROOT has  always been  a problem  if you  aren't careful.
    It's just  a general  practice that  if you  must have a phpinfo()
    script somewhere that you give it the most obscure name  possible.
    Of course it  would be better  to just not  have one in  the first
    place.