Unconfirmed. Windows 2000 sp2 plus postsp2rollup patch + PHP 4.0.6 Response from my webserver is as follows: CGI Error The specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are: http://www.somewebsite.com/somesubdir/index.php/123 This format failed the test. HOWEVER http://www.somewebsite.com/somesubdir/index.php/ Passed the test and revealed the TRUE location of the File, not the location of the PHP installation directory. This can be avoided by disabling the showing of scripting errors in IIS. What version of Windows and what service packs, plus what version of PHP are you using? -Colby -----Original Message----- From: Paul Brereton [mailto:brereton_paul@btopenworld.com] Sent: Thursday, February 07, 2002 7:00 AM To: bugs@securitytracker.com; webmaster@hideaway.net; contact@securitybugware.org; exploit@nstalker.com; security@winnetmag.com; editors@apacheweek.com; bugtraq@securityfocus.com Subject: Security Advisory - #1 Title : Windows Based PHP Leaks True Path Author : Paul Brereton E-Mail : brereton_paul@btopenworld.com Summary : PHP for Windows reveals the true path where the program was installed. This would be considered in most cases sensitive information. Details : By appending /123 to the end of a PHP file such as http://somehost/database.php/123 the PHP program will return its install path: The following message is displayed : Premature end of script headers: C:/php/php.exe Regards, Paul Brereton.
