AnsweredAssumed Answered

The default FMPro Server install exposes a potential PHP data disclosure vulnerability

Question asked by Dhrakar on Feb 2, 2011

Summary

The default FMPro Server install exposes a potential PHP data disclosure vulnerability

Product

FileMaker Server

Version

11.0.1.99

Operating system version

Mac OS X 10.6.5

Description of the issue

Nessus scanning of our system reported that the installed version of PHP had a potential 'information disclosure' vulnerability.  This turned out to be due to some built-in PHP Easter Egg images that appear when you give a special parameter to any PHP file hosted on the server.  This vulnerability could be used to help an attacker to get version info about the server.
  More information about the issue is at http://www.0php.com/php_easter_egg.php

Steps to reproduce the problem

1)  Append the following to the URL for any php file hosted by FMPro Server:
    ?=PHPE9568F36-D428-11d2-A769-00AA001ACF42

  For example, http://example.com/index.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42

Expected result

The expected result, is that the web publishing engine (and php) will ignore any extra parameters and just return the index.php page.

Actual result

One of the easter egg images pops up instead of the index.php page.  Removing the ?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 param shows the index.php page again.

See http://www.0php.com/php_easter_egg.php for samples of the images.

Exact text of any error message(s) that appear

none.

Configuration information

I've just tried this under OS X.  Since the issue is in the php.ini, I'd imagine that the Windows version of FMPro Server will behave similarly.

Workaround

The fix for this is to edit the php.ini file:
  /Library/FileMaker Server/Web Publishing/publishing-engine/php/snow leopard/lib/php.ini

and change the line
  expose_php = On

to
  expose_php = Off

  This should probably be the default setting for future FMPro Server configs.

Outcomes