[Full-Disclosure] PHP Information Functions May Allow Cross-Site Scripting

[Stefan Esser]

> The Irony:
>
> The comment lines directly above the expose_php directive in the default
> config file specifically say that it is "no security threat", but having it
> enabled opens you to an XSS?  Food for thought...

Sorry but this is simply not true. You are only vulnerable if you provide
a script that calls phpinfo(); AND(!) have expose_php on.
I already said at different places that you cannot blame insecure programming
onto the language. There is absolutely NO reason to have a phpinfo() script
on a production server, because it reveals too much information. 

Stefan Esser