0 Replies Latest reply on Feb 2, 2011 1:06 PM by Dhrakar

    The default FMPro Server install exposes a potential PHP data disclosure vulnerability

    Dhrakar

      Summary

      The default FMPro Server install exposes a potential PHP data disclosure vulnerability

      Product

      FileMaker Server

      Version

      11.0.1.99

      Operating system version

      Mac OS X 10.6.5

      Description of the issue

      Nessus scanning of our system reported that the installed version of PHP had a potential 'information disclosure' vulnerability.  This turned out to be due to some built-in PHP Easter Egg images that appear when you give a special parameter to any PHP file hosted on the server.  This vulnerability could be used to help an attacker to get version info about the server.
        More information about the issue is at http://www.0php.com/php_easter_egg.php

      Steps to reproduce the problem

      1)  Append the following to the URL for any php file hosted by FMPro Server:
          ?=PHPE9568F36-D428-11d2-A769-00AA001ACF42

        For example, http://example.com/index.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42

      Expected result

      The expected result, is that the web publishing engine (and php) will ignore any extra parameters and just return the index.php page.

      Actual result

      One of the easter egg images pops up instead of the index.php page.  Removing the ?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 param shows the index.php page again.

      See http://www.0php.com/php_easter_egg.php for samples of the images.

      Exact text of any error message(s) that appear

      none.

      Configuration information

      I've just tried this under OS X.  Since the issue is in the php.ini, I'd imagine that the Windows version of FMPro Server will behave similarly.

      Workaround

      The fix for this is to edit the php.ini file:
        /Library/FileMaker Server/Web Publishing/publishing-engine/php/snow leopard/lib/php.ini

      and change the line
        expose_php = On

      to
        expose_php = Off

        This should probably be the default setting for future FMPro Server configs.