The default FMPro Server install exposes a potential PHP data disclosure vulnerability
Mac OS X 10.6.5
Nessus scanning of our system reported that the installed version of PHP had a potential 'information disclosure' vulnerability. This turned out to be due to some built-in PHP Easter Egg images that appear when you give a special parameter to any PHP file hosted on the server. This vulnerability could be used to help an attacker to get version info about the server.
More information about the issue is at http://www.0php.com/php_easter_egg.php
1) Append the following to the URL for any php file hosted by FMPro Server:
For example, http://example.com/index.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
The expected result, is that the web publishing engine (and php) will ignore any extra parameters and just return the index.php page.
One of the easter egg images pops up instead of the index.php page. Removing the ?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 param shows the index.php page again.
See http://www.0php.com/php_easter_egg.php for samples of the images.
I've just tried this under OS X. Since the issue is in the php.ini, I'd imagine that the Windows version of FMPro Server will behave similarly.
The fix for this is to edit the php.ini file:
/Library/FileMaker Server/Web Publishing/publishing-engine/php/snow leopard/lib/php.ini
and change the line
expose_php = On
expose_php = Off
This should probably be the default setting for future FMPro Server configs.