Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

phpinfo (phpinfo.php) shows PHP information including values of HttpOnly cookies. #567

Closed
jhhua opened this issue Aug 12, 2021 · 5 comments

Comments

@jhhua
Copy link

jhhua commented Aug 12, 2021

All 0.9.x versions (prior to 0.9.16), are affected.
System Information Leak ( phpinfo() ) vulnerability in flextype 0.9.16 via the phpinfo() parameter to 1) flextype/vendor/phpfastcache/phpfastcache/docs/examples/phpinfo.php ,2) flextype/vendor/phpfastcache/phpfastcache/docs/examples/index.php

it's allows remote attackers to obtain configuration information via a phpinfo action in a request to phpinfo.php、index.php, which calls the phpinfo function.
image
image
image
image

@jhhua
Copy link
Author

jhhua commented Aug 12, 2021

thanks, i found this vulnerability it's between 0.9.12 and 0.9.16 via,it's not very dangerious

@Awilum Awilum closed this as completed Aug 12, 2021
@Geolim4
Copy link

Geolim4 commented Aug 12, 2021

Hello,

I have been notified today by mail of a potential vulnerability in Phpfastcache, I take this alert very seriously and working on it to push a fix tonight along with a CVE if needed.

This code is a very old code (2016) located in /docs directory that should not be here.

Thanks you.

@Awilum
Copy link
Member

Awilum commented Aug 12, 2021

@Geolim4 Thanks!

@Geolim4
Copy link

Geolim4 commented Aug 12, 2021

A CVE has been released and published here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37704

Thanks :D

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants