lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: s.esser at e-matters.de (Stefan Esser)
Subject: PHP Information Functions May Allow Cross-Site Scripting

> The Irony:
>
> The comment lines directly above the expose_php directive in the default
> config file specifically say that it is "no security threat", but having it
> enabled opens you to an XSS?  Food for thought...

Sorry but this is simply not true. You are only vulnerable if you provide
a script that calls phpinfo(); AND(!) have expose_php on.
I already said at different places that you cannot blame insecure programming
onto the language. There is absolutely NO reason to have a phpinfo() script
on a production server, because it reveals too much information. 

Stefan Esser

Powered by blists - more mailing lists