|
Vulnerability PHP Affected PHP 3.0.14 Description H D Moore found following. He noticed some not-so-good behavior in PHP 3.0.14 when dealing with POST requests that do not contain a content-type header in the request (illegal). The server will return the page anyways, but the first line will be a PHP warning message containing the full path to that file. The PHP developers have _not_ been notified because the bug (?) only appears in older versions of thier software (4.0 has been released) and the fact that path disclosure is a weak vulnerability by itself. A similar disclosure is possible with Horde packages. Horde comes with a test.php3 file which displays server info, including full path names, through phpinfo(). The fix is to chmod 000 this file after installation. Solution Disabling PHP's warning messages can be done by changing the line in php.ini reading: display_errors = On ; Print out errors (as a part of the HTML script) to: display_errors = Off ; Print out errors (as a part of the HTML script) and restarting the webserver. The secure.sh script, which should be run after installation and configuration, has been updated to perform this operation, but only in the cvs. All versions released so far, including horde-1.2.0-pre12, are vulnerable. DOCUMENT_ROOT has always been a problem if you aren't careful. It's just a general practice that if you must have a phpinfo() script somewhere that you give it the most obscure name possible. Of course it would be better to just not have one in the first place.