WebSTAR php.ini System Information Disclosure

2004-07-13T16:41:29
ID OSVDB:7796
Type osvdb
Reporter Dave G.(daveg@atstake.com)
Modified 2004-07-13T16:41:29

Description

Vulnerability Description

WebSTAR contains a flaw that may allow a malicious user to access unauthorized information. The issue is due to WebSTAR's inproper file permission on php.ini within the /cgi-bin or /fcgi-bin directories. This flaw may allow a remote attacker to download the php.ini file and obtain sensitive information of the webserver and database server, resulting in a loss of confidentiality.

Solution Description

Upgrade to version 5.3.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

WebSTAR contains a flaw that may allow a malicious user to access unauthorized information. The issue is due to WebSTAR's inproper file permission on php.ini within the /cgi-bin or /fcgi-bin directories. This flaw may allow a remote attacker to download the php.ini file and obtain sensitive information of the webserver and database server, resulting in a loss of confidentiality.

Manual Testing Notes

http://[victim]/cgi-bin/php.ini http://[victim]/fcgi-bin/php.ini

References:

Vendor URL: http://www.4d.com/ Vendor Specific Advisory URL Secunia Advisory ID:12063 Related OSVDB ID: 7794 Related OSVDB ID: 7795 Related OSVDB ID: 7797 Other Advisory URL: http://www.atstake.com/research/advisories/2004/a071304-1.txt Mail List Post: http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0005.html ISS X-Force ID: 16688 CVE-2004-0697