From: [EMAIL PROTECTED]
Operating system: all
PHP version: 4.2.3
PHP Bug Type: Apache related
Bug description: Serious security hole when accessing phpinfo() in a .htaccess
protected dir.
On all Servers we administrate, we always install an 'info.php' file which
only contains the phpinfo() function.
Now I found that PHP returns the transmitted password in clear text to the
browser. The page is stored in the browsers cache or someone could just
have a look on my screen. :-((
I think this is a serious security hole.
The password should not be returned to the browser in any way, best would
be to show some asterisks ('*******'), to show that the variable exists.
Ulrich Kapp
--
Edit bug report at http://bugs.php.net/?id=20750&edit=1
--
Try a CVS snapshot: http://bugs.php.net/fix.php?id=20750&r=trysnapshot
Fixed in CVS: http://bugs.php.net/fix.php?id=20750&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=20750&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=20750&r=needtrace
Try newer version: http://bugs.php.net/fix.php?id=20750&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=20750&r=support
Expected behavior: http://bugs.php.net/fix.php?id=20750&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=20750&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=20750&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=20750&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=20750&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=20750&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=20750&r=isapi
