103486 2003-06-04 19:12 /49 rader/ silent needle <silentneedle@hotmail.com> Importerad: 2003-06-04 19:12 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <5133> Ärende: PHP XSS exploit in phpinfo() ------------------------------------------------------------ PHP XSS exploit in phpinfo() by Silent Needle A: BACKGROUND(from php.net) int phpinfo ( [int what]) Outputs a large amount of information about the current state of PHP. This includes information about PHP compilation options and extensions, the PHP version, server information and environment (if compiled as a module), the PHP environment, OS version information, paths, master and local values of configuration options, HTTP headers, and the PHP License. Because every system is setup differently, phpinfo() is commonly used to check configuration settings and for available predefined variables on a given system. Also, phpinfo() is a valuable debugging tool as it contains all EGPCS (Environment, GET, POST, Cookie, Server) data. The output may be customized by passing one or more of the following constants bitwise values summed together in the optional what parameter. One can also combine the respective constants or bitwise values together with the or operator. B: DESCRIPTION The cross site scripting allow you to print a html or javascript or others in the webpage when it just open not write in the page. C: EXPLOIT If you found a page running phpinfo(); like this http://[site]/info.php you can make a xss by adding any variable and put a html or javascript value for it like this THE EXPLOIT URL: http://[site]/info.php?variable=[SCRIPT] and you can change [SCRIPT] with any html or javascript code note: you can steal cookies by this way only if it was in the same folder with any prog using cookies. D: GREETZ To : SP.IC , DR^^FUNNY , ARAB-HAK , ZALABOZA , OH SHE IS A LITTLE RUN AWAY :) E:CONTACT Silent Needle silentneedle@hotmail.com F:OH LONG NIGHT Bye (103486) /silent needle <silentneedle@hotmail.com>/(Ombruten) Kommentar i text 103518 av Daniel Naber <daniel.naber@t-online.de> 103518 2003-06-05 00:06 /17 rader/ Daniel Naber <daniel.naber@t-online.de> Importerad: 2003-06-05 00:06 av Brevbäraren Extern mottagare: silent needle <silentneedle@hotmail.com> Mottagare: Bugtraq (import) <5138> Kommentar till text 103486 av silent needle <silentneedle@hotmail.com> Ärende: Re: PHP XSS exploit in phpinfo() ------------------------------------------------------------ On Tuesday 03 June 2003 15:30, silent needle wrote: > A: BACKGROUND(from php.net) > int phpinfo ( [int what]) > Outputs a large amount of information about the current state of PHP. And because of that amount of information it's a security issue if phpinfo() is publically available at all, not just because you can do XSS with it. (Of course it should be fixed anyway.) Regards Daniel -- http://www.danielnaber.de (103518) /Daniel Naber <daniel.naber@t-online.de>/(Ombruten) 103678 2003-06-05 21:26 /19 rader/ Martin <broadcast@o0.dyndns.org> Importerad: 2003-06-05 21:26 av Brevbäraren Extern mottagare: Mr. Bugtraq <bugtraq@securityfocus.com> Mottagare: Bugtraq (import) <5150> Ärende: Monkey Http Daemon ------------------------------------------------------------ After reading the PHP XSS "exploit" (I dont know if it qualifies as one) in phpinfo(), I found out that on the default page of the Monkey Http Daemon, there is a Test of Supports section. Two links are included: http://whateverhost/php/index.php and http://whateverhost/cgi-bin/test.pl index.php just contains 'echo phpinfo(); ' Also, test.pl doesnt check for valid input on the forms, so you can include HTML code, etc. Pretty useless, I know, but I've been reading posts about this kind of stuff, so I thought i would throw in this. Found this on the version 0.7.1 version, the latest one i found on freshmeat.net. I havent contacted the author since I dont know if this is really a big deal or not. Well, sorry for bothering and I hope I dont get flamed or anything (103678) /Martin <broadcast@o0.dyndns.org>/(Ombruten)