Well, the developers have responded; http://forums.invisionboard.com/index.php?act=ST&f=30&t=23569 From Matt, "IBF Project Leader" --------------------- snip ----------------------------- "Whilst disclosing phpinfo.php to the world does expose installed modules, paths and such - it's hardly the biggest security risk. Any PHP script that fails tells the viewer the full path to the script, as does perl/CGI, etc. The information that phpinfo.php provides about the server can be got by a simple desktop application as the information is quite freely distributed (the basic idea of web protocols). FYI, we only set the SSL server up to test a few ideas, we use a merchant account to process our credit card orders - they are not processed on our server. Edit: I've set up securityat_private, so I will actually get the email this time rather than it be eaten up in our system. I guess if this is the only "security" breach they can find with Invision Board, we're doing well " "I didn't receive any email, this is the first I've heard about it - my email address is readily available and my signature says that I'm the lead developer and should be the first point of contact in this case. To make it easier, I've set up securityat_private - all of our unrouted mail is pretty much forwarded to dev/null because of the different systems we have tied into our mail system (and to reduce the amazing level of spam we get). Yes, phpinfo.php discloses the server environment - but not a great deal more than one could find out by other means. My point being, there is no need for a full scale panic over this. The phpinfo.php file has been distributed with Invision Board since day 1 and I've not heard of anyone having their server hacked over it. I'll probably remove it in future releases to appease the over paranoid. " --------------------- snip ----------------------------- Quite honestly, this is a bit worrying. "Matt" seems to think that people can remotely obtain this kind of information due to the "the basic web protocols" without phpinfo. This is complete rubbish. Disclosing application paths on servers, PHP setup... etc is very much not possible via "basic web protocols". If people are clued up enough to understand why this is a problem, I would suggest they mail their concerns to securityat_private Regards, Gossi. On Tue, 24 Sep 2002, Gossi The Dog wrote: > > Since the vendors didn't bother to respond, I might as well forward this > on. > > Basic jizt - Invision Board (all version) - installation guide copies > across phpinfo.php, a file which calls phpinfo(). > > Example; > http://blahblahblah.corp.com/phpinfo.php > > (just do a search on Google for "Invision Board" and append phpinfo.php to > the URL). > > Why is this bad? Well, duh. It gives you system varibles, path names, > modules of apache, PHP setup, Apache module version numbers etc etc. > > Note to vendors: please reply to security mail in the future. > > #phrack whore > > ---------- Forwarded message ---------- > Date: Mon, 23 Sep 2002 20:31:41 +0100 (BST) > From: Gossi The Dog <gossiat_private> > To: securityat_private > Cc: supportat_private, gossiat_private > Subject: Information Disclosure with Invision Board installation > > > Hi, > > Okay, how to explain this one... > > The installation procedure for Invision Board advises to upload various > files and directorys. One of these is 'phpinfo.php'. > > Now, I'm sorry, but this is dumb. > > Why? > > Example. > > http://forums.invisionboard.com/phpinfo.php > > I can now tell you don't have PHP Safe mode installed, exactly what Apache > modules you have loaded, your full Apache SERVER_SOFTWARE (Apache/1.3.26 > (Unix) mod_bwlimited/1.0 PHP/4.2.1 mod_log_bytes/0.3 FrontPage/5.0.2.2510 > mod_ssl/2.8.9 OpenSSL/0.9.6b)... > > etc. > > > PHP modules, settings, system variables... They're all out there. Also, > note, your OpenSSL version is out of date and fully remotely exploitable > (I managed to obtain that from phpinfo.php - you had it hidden before, but > phpinfo.php discloses this information). > > Do you agree this is a problem? > > You need to modify the installation guide to say this file should *only* > be uploaded for diagnoises and debugging reasons, and possible move it to > a different folder (eg debug) to stop people uploading it by accident. > People also need to be reminded to *remove* the file if they upload it for > debugging purposes after they finish. > > You also need to notify existing users of the software about the file. > > I did a quick Google search for "Invision Board", and every single one of > the boards I tried (About 50) had the file. Oops. > > I'm planning to do some kind of bugtraq announcement after I've got a plan > of action from yourselves (and I've given you a decent grace period), > basically to make sure as many people as possible remove the file. > > > Thanks muchly, > > Gossi The Dog. > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Wed Sep 25 2002 - 10:00:53 PDT