TUCoPS :: Web :: PHP
:: php1.htm
PHP 3.0.14 poor handling of illegal requests
Vulnerability
PHP
Affected
PHP 3.0.14
Description
H D Moore found following. He noticed some not-so-good behavior
in PHP 3.0.14 when dealing with POST requests that do not contain
a content-type header in the request (illegal). The server will
return the page anyways, but the first line will be a PHP warning
message containing the full path to that file. The PHP
developers have _not_ been notified because the bug (?) only
appears in older versions of thier software (4.0 has been
released) and the fact that path disclosure is a weak
vulnerability by itself.
A similar disclosure is possible with Horde packages. Horde comes
with a test.php3 file which displays server info, including full
path names, through phpinfo(). The fix is to chmod 000 this file
after installation.
Solution
Disabling PHP's warning messages can be done by changing the line
in php.ini reading:
display_errors = On ; Print out errors (as a part of the HTML script)
to:
display_errors = Off ; Print out errors (as a part of the HTML script)
and restarting the webserver.
The secure.sh script, which should be run after installation and
configuration, has been updated to perform this operation, but
only in the cvs. All versions released so far, including
horde-1.2.0-pre12, are vulnerable.
DOCUMENT_ROOT has always been a problem if you aren't careful.
It's just a general practice that if you must have a phpinfo()
script somewhere that you give it the most obscure name possible.
Of course it would be better to just not have one in the first
place.