[Full-disclosure] Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()

From: Stefan Esser (sesser_at_hardened-php.net)
Date: 10/31/05

  • Next message: Stefan Esser: "[Full-disclosure] Advisory 19/2005: PHP register_globals Activation Vulnerability in parse_str()" 
    Date: Mon, 31 Oct 2005 14:33:22 +0100
To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk, red@heisec.de

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

                            Hardened-PHP Project
                            www.hardened-php.net

                          -= Security Advisory =-

         Advisory: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()
     Release Date: 2005/10/31
    Last Modified: 2005/10/31
           Author: Stefan Esser [sesser@hardened-php.net]

      Application: PHP4 <= 4.4.0
                   PHP5 <= 5.0.5
         Severity: A Cross Site Scripting (XSS) Vulnerability in phpinfo()
                   could f.e. lead to cookie data exposure if an info
                   script is left on a production server.
             Risk: Low
    Vendor Status: Vendor has released a bugfixed PHP 4 version
       References: http://www.hardened-php.net/advisory_182005.77.html

    Overview:

       PHP is a widely-used general-purpose scripting language that is
       especially suited for Web development and can be embedded into HTML.

       During the development of the Hardening-Patch which adds security
       hardening features to the PHP codebase, several vulnerabilities
       within PHP were discovered. This advisory describes one of these
       flaws concerning a weakness in the phpinfo() function, which allows
       Cross Site Scripting (XSS).

    Details:
       
       The phpinfo() function outputs a large amount of information about
       the current state of PHP. This includes information about PHP
       compilation options and extensions, the PHP version, server
       information and environment (if compiled as a module), the PHP
       environment, OS version information, paths, master and local
       values of configuration options and request variables, HTTP
       headers, and the PHP License.
       
       Because phpinfo() leaks a lot of information to the viewer it is
       not recommended to leave a script executing phpinfo() on a
       production server. However in reality phpinfo() scripts are left
       open on a lot of servers. While this is already bad enough, there
       is also a problem when request variables of a certain form are
       displayed. With a properly crafted URL, that contains a stacked
       array assignment it is f.e. possible to inject HTML code into the
       output of phpinfo(), which could result in the leakage of domain
       cookies (f.e. session identifiers).

    Proof of Concept:

       The Hardened-PHP project is not going to release exploits for any
       of these vulnerabilities to the public.

    Recommendation:

       It is strongly recommended to never leave phpinfo() scripts on
       production servers, additionally it is recommended to upgrade to
       the new PHP-Releases as soon as possible, because it also fixes
       a few vulnerabilities, that are rated critical. Finally we always
       recommend to run PHP with the Hardening-Patch applied.

    GPG-Key:

       http://www.hardened-php.net/hardened-php-signature-key.asc

       pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
       Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1

    Copyright 2005 Stefan Esser. All rights reserved.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    iD8DBQFDZhz7RDkUzAqGSqERAt9xAJ9n80d64fyNFyeWWwEVnsHfuyjE8wCeNgx3
    OhyWy37m+0oH/xv6yIcNaCs=
    =X39u
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: Stefan Esser: "[Full-disclosure] Advisory 19/2005: PHP register_globals Activation Vulnerability in parse_str()"

    Relevant Pages

    • Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()
      ... Vendor has released a bugfixed PHP 4 version ... The phpinfo() function outputs a large amount of information about ... production server. ... Recommendation: ...
      (Bugtraq)
    • Re: Error reporting
      ... seems that it indeed was my mistake in configuring PHP. ... looking at the output from phpinfo(). ... later in the same file the same settings were set to Off. ... > to the fake function. ...
      (comp.lang.php)
    • PHP XSS exploit in phpinfo()
      ... PHP XSS exploit in phpinfo() by Silent Needle ... int phpinfo ... Outputs a large amount of information about the current state of PHP. ...
      (Bugtraq)
    • Re: phpinfo is not affected by html_errors
      ... about the errors php output for an invalid line... ... > force the output from phpinfo to be either plain text or HTML. ... One is executes as CGI, ...
      (comp.lang.php)
    • Re: open_basedir problem
      ... then PHP may be taking the last directory as "/tmp no value". ... Master open_basedir value to "no value" (as evidenced by phpinfo)? ... I've tried using an .htaccess file to do a php_admin_value ... I'm running I'm running PHP Version 4.3.9 if that makes a difference. ...
      (comp.lang.php)