[IMPORTANT] phpinfo() vulnerability
jimson - why would the hosting company care?
Correct me if I'm wrong, but CSS/XSS only impacts the end user and possibly the application/website. As far as the server is concerned, I don't know of any way to do any damage with this. (Please, someone let me know otherwise)
jimson - why would the hosting company care?
peeps who pay to host mysql php... i don't see why they won't complain to their host...
maybe they will complain to php.net
but hosting company cannot do anything to prevent it...
somebody will be blaimed and scolded... <= 
u know what i mean?
Thanks jayant I understand a tad bit more now... so basically it's using one script to get information from another? Like cookies and other sensitive data?
Originally posted by goldbug
jimson - why would the hosting company care?
Correct me if I'm wrong, but CSS/XSS only impacts the end user and possibly the application/website. As far as the server is concerned, I don't know of any way to do any damage with this. (Please, someone let me know otherwise)
its possible to have to insert PHP/any other server side language also to do the damage. depends on case to case, whether it will suceed or not.
I'll go tell my boys. thanks for letting us know.
its always been a known fact not to leave phpinfo on your server where it can be accessed by the public.
its good for new programmers, but i've always known it was a security issue.
Originally posted by seby
its always been a known fact not to leave phpinfo on your server where it can be accessed by the public.
its good for new programmers, but i've always known it was a security issue.
Concur. I'm paranoid re: security, I don't want anybody seeing anything that phpinfo() knows...pathnames, OS types, software versions, build dates, etc., etc...
well, I always say that the question isn't how paranoid you are, but whether you're paranoid enough.
Just because you aren't paranoid, doesn't mean that noone is watching!!!
And why is phpbuilder's info page available then.
Jstarkey???
it isn't now... LOL
Originally posted by stolzyboy
And why is phpbuilder's info page available then.
Jstarkey???
Can you post a link? I haven't seen it.
Originally posted by jayant
Make sure you keep your phpinfo() scripts protected (as in preferably not available for the world to see). This is no bigee, but it's best to avoid it:
http://www.securityfocus.com/bid/7805/discussion/
Example:phpinfo.php?code=<script>alert("This is an exploit");</script>[/B]
Thanks for the info. Question still being intermediate, does this go into all our php pages? and if so, at the beginning of the page before all the script?
thanks
Charles
I am not a Javascript expert .
However , with this exploit that permits Javascript insertion ,
an hacker could grab for example /etc/passwd data ,
or execute commands (wget for example) or upload files ?
Am I right ?
Originally posted by jstarkey
Can you post a link? I haven't seen it.
Heh.. I went there the other day.. I noticed it changed now.
I like the gender of the server, but usually machines are female.
yep, it was here http://www.phpbuilder.com/info.php, but i noticed it has changed
i generally go for something not so easy to guess if i want to see it ran
like: www.mydomain.com/asdfqwertyjklzxcvbnm90210.php
or something along those lines
Ok, theres still something there (at http://www.phpbuilder.com/info.php).
It also says that you're running PHPv6??? 
Doesn't the whole page look slightly bogus to you piersk?
Does the PHP Core have a gender?
Sheeesh, I'm giving up my career as a comic 
Read the config line (and at least snicker, please??)
Maybe the php.ini location?
Zend Engine 3?
runs off with manly tears in his eyes
Hey, thanks Stolzy for pointing it out.
The server actually is fairmaiden.iworld.com, though, isn't it? (Iworld.com is internet.com, PHPBuilder is Jupiter Media, Internet.com is Jupiter Media...)
I thought it was funny, and I noticed the /usr/drunk... 