Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4FEC1BA7.5030403@redhat.com>
Date: Thu, 28 Jun 2012 02:53:59 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: PHP information disclosure via easter egg ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/28/2012 12:13 AM, Pierre Joye wrote:
> hi Kurt!
> 
> On Thu, Jun 28, 2012 at 7:12 AM, Kurt Seifried
> <kseifried@...hat.com> wrote:
> 
>> So simply querying:
>> 
>> ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
>> 
>> e.g.:
>> 
>> http://php.net/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
>> 
>> shows authors, SAPI modules (and their authors) and normal
>> modules (and their authors), resulting in a significant
>> information disclosure (version #'s can be narrowed down from the
>> authors list).
>> 
>> This has already been reported, but no CVE was assigned:
>> 
>> https://bugs.php.net/bug.php?id=55497
>> 
>> It is mentioned in http://php.net/manual/en/ini.core.php however
>> it is enabled by default:
>> 
>> ; Decides whether PHP may expose the fact that it is installed on
>> the server ; (e.g. by adding its signature to the Web server
>> header).  It is no security ; threat in any way, but it makes it
>> possible to determine whether you use PHP ; on your server or
>> not.
>> 
>> ; http://www.php.net/manual/en/ini.core.php#ini.expose-php
>> 
>> expose_php = On
> 
> Why would it require a CVE and why is it seen as a security issue? 
> Sure it could be, like unfiltered input and the like but...
> 
> Cheers,

I wasn't asking for a CVE for this issue (no "CVE Request: in
subject), This is more of a place holder/information (oss-security is
read by a lot of security vendors/etc, and is for more than just CVE
assignments) and to make sure people are aware of the issue, since I
wasn't even aware of it until someone pointed it out to me.

Exposing the fact that I am running PHP is one thing. Exposing exactly
which modules I have loaded is quite another.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP7BunAAoJEBYNRVNeJnmTrWgP/RBMIViovfMnVcYeKhMIXmYV
Rg4u1feGpAbwY4XgxuHJmeWFJXuiUQueZvl+ut4mw/ERZwXACi83im3tR706gk5U
q6rwXdOw3Qlqu3bmwvP9M8TxsaFPFmBEzxxl797831iuwCPp8460z01EyG8xrf/0
AGPi4b0xf1AiWEeiFQhruBbuw06HNepZFclvYtvQ/sBlonSfMCSYFKXlpj1AKdwD
x5k8XW8RuYtJKoC2L2R36MXKJvesozGV0hiS6u2xbonUZ9UT+MuPMWtVLm35Mbgz
Xp1DK95rh32OqC05//HldVzx5EhnUZ9sUupu+uvTXBcOjWKFeteig0K16pnhoENR
589m5KiW4lPuoruaKqWdkz7Mbrpuhs/Cn8J7Kz+lXPH25WRVty51/RbsxcF+pVCQ
9aZOC6IZkplgFFUKNDrJXH1zcXiHruYq5u3fy7dhMBT3R6ZGNyOhy0wphyR5qGHM
qqOCi5HtEATWalW093YQcfAl23tFOLFx80SG3jQBeDr8iKJMfRtAJp2DjIHLKvdF
psJfuzl4iN0cPPEqL/Kmp0CkzVLqiG4PRUWjSWUvCcnqwUoMY+Ppv2bKF4EXy+Yc
y5Kfm//12RvTs81xdbCGVNPKUSXRfyR2Mh018tIJmCsqL5BlQq5JnoLXdxRdXxz1
1fMeSb1mPw36hZ0N3DLE
=8DQU
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.