[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20021013102048.GA30229@php.net>
From: s.esser at e-matters.de (Stefan Esser)
Subject: PHP Information Functions May Allow Cross-Site Scripting
> The Irony:
>
> The comment lines directly above the expose_php directive in the default
> config file specifically say that it is "no security threat", but having it
> enabled opens you to an XSS? Food for thought...
Sorry but this is simply not true. You are only vulnerable if you provide
a script that calls phpinfo(); AND(!) have expose_php on.
I already said at different places that you cannot blame insecure programming
onto the language. There is absolutely NO reason to have a phpinfo() script
on a production server, because it reveals too much information.
Stefan Esser
Powered by blists - more mailing lists