Security Risk: "main.php?cmd=phpinfo" provides access that server admins may not intend
Submitted by flynn on Thu, 2009-02-12 09:22.
| Project: | phpAlbum.net |
| Version: | 0.4.1-14_fix05 |
| Component: | Code |
| Category: | bug |
| Priority: | critical |
| Assigned: | ssimroth |
| Status: | new |
Description
Security Risk: "main.php?cmd=phpinfo" provides access that server admins may not intend. I believe that preventing access to phpinfo() is a basic security precaution, so I don't believe this cmd should be allowed in main.php by default.
Updates
#1 submitted by ssimroth on Tue, 2009-04-14 10:47
| Assigned to: | » ssimroth | |
| Attachment: | PhpInfoSecurityRisk.patch (509 bytes) |
I agree and did not want to allow unlimited access to the phpinfo, as I intend to make my phpalbum public.
However, I think it is a good idea to keep the command, but limit its execution to superusers.
Thus, I have replaced the call to phpinfo() in line 2578 (quite at the end) of main.php with the following code:
if(isset($pa_user["groups"]["superuser"]))
{
phpinfo();
}
else
{
echo "Command phpinfo not allowed for you.";
}
Patch (unified diff) with context is attached.
Recent comments
13 hours 28 min ago
17 hours 41 min ago
1 day 6 hours ago
1 day 14 hours ago
1 day 16 hours ago
10 weeks 6 days ago
11 weeks 2 hours ago
11 weeks 4 hours ago
11 weeks 15 hours ago
35 weeks 2 days ago