[Full-Disclosure] PHP Information Functions May Allow Cross-Site Scripting
s.esser at e-matters.de
Sun Oct 13 11:20:48 BST 2002
> The Irony:
> The comment lines directly above the expose_php directive in the default
> config file specifically say that it is "no security threat", but having it
> enabled opens you to an XSS? Food for thought...
Sorry but this is simply not true. You are only vulnerable if you provide
a script that calls phpinfo(); AND(!) have expose_php on.
I already said at different places that you cannot blame insecure programming
onto the language. There is absolutely NO reason to have a phpinfo() script
on a production server, because it reveals too much information.
Full-Disclosure is hosted and sponsored by Secunia.