php vulnerability

rino.caldelli · 12-06-2005, 06:13 AM

I put this line in a index.html page

<?php
echo "IP: $_SERVER[REMOTE_ADDR]";
?>

the code strangely isn't parsed (seems as only *.php pages are parsed) and from the source code of the page you can see that the php code is still there...

now if you

Code:

[rrg@localhost ~]$ telnet myhomapega.com 80
Connected to rinonapo.no-ip.info (82.52.118.143).
Escape character is '^]'.
js
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Method Not Implemented</title>
</head><body>
<h1>Method Not Implemented</h1>
<p>js to /index.shtml not supported.<br />
</p>
<hr>
<address>Apache-AdvancedExtranetServer/2.0.53 (Mandrakelinux/PREFORK-9mdk) mod_ssl/2.0.53 OpenSSL/0.9.7e PHP/4.3.10 mod_perl/1.999.21 Perl/v5.8.6 Server at 127.0.0.1 Port 80</address>
</body></html>
Connection closed by foreign host.
[rrg@localhost ~]$

you can see all my software instead of my ip!!!!!!!!!!!

cs-cam · 12-06-2005, 06:17 AM

That isn't a vulnerability, that's your setup. You need to create a handler for Apache to parse .html files as PHP otherwise yeah, it'll show your code. Duh! Doing so will also add a nice overhead to your server by sending every single static HTML file through PHP before serving it. Just put your PHP code in .php files and leave .html for static stuff only and you'll be fine.

phil.d.g · 12-06-2005, 06:22 AM

The server address is also configurable in httpd.conf, you can set it to show different amounts of detail

rino.caldelli · 12-06-2005, 11:54 AM

It seems as if you didn't read all my post... The problem is not that apache doesn't parse html files, nor that the addresse is not configurable, instead that it outputs

Code:

Apache-AdvancedExtranetServer/2.0.53 (Mandrakelinux/PREFORK-9mdk) mod_ssl/2.0.53 OpenSSL/0.9.7e PHP/4.3.10 mod_perl/1.999.21 Perl/v5.8.6 Server at 127.0.0.1 Port 80>

when it should only not parse it and ignore it!!!!!!

phil.d.g · 12-06-2005, 02:28 PM

From the ouput you posted in code tags in your first post, that is the correct behaviour of apache, you issued a http packet that it didn't understand and apache gave you a nice error page telling you so.

I don't understand what you are asking, please rephrase your question

By the way, to get a html page back you need to form your http request like this

Code:

GET /index.html HTTP/1.1
Host: www.pdgaskell.co.uk

rino.caldelli · 12-09-2005, 07:31 AM

thanks you're right... it was just a apache misconf