The default FMPro Server install exposes a potential PHP data disclosure vulnerability
Operating system version
Mac OS X 10.6.5
Description of the issue
Nessus scanning of our system reported that the installed version of PHP had a potential 'information disclosure' vulnerability. This turned out to be due to some built-in PHP Easter Egg images that appear when you give a special parameter to any PHP file hosted on the server. This vulnerability could be used to help an attacker to get version info about the server.
More information about the issue is at http://www.0php.com/php_easter_egg.php
Steps to reproduce the problem
1) Append the following to the URL for any php file hosted by FMPro Server:
For example, http://example.com/index.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
The expected result, is that the web publishing engine (and php) will ignore any extra parameters and just return the index.php page.
One of the easter egg images pops up instead of the index.php page. Removing the ?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 param shows the index.php page again.
See http://www.0php.com/php_easter_egg.php for samples of the images.
Exact text of any error message(s) that appear
I've just tried this under OS X. Since the issue is in the php.ini, I'd imagine that the Windows version of FMPro Server will behave similarly.
The fix for this is to edit the php.ini file:
/Library/FileMaker Server/Web Publishing/publishing-engine/php/snow leopard/lib/php.ini
and change the line
expose_php = On
expose_php = Off
This should probably be the default setting for future FMPro Server configs.