ID: 20750 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Open +Status: Bogus Bug Type: Apache related Operating System: all PHP Version: 4.2.3 New Comment:
Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php If you do not want that your users can see this information then do not give them the ability to view phpinfo(). Previous Comments: ------------------------------------------------------------------------ [2002-12-01 13:37:15] [EMAIL PROTECTED] On all Servers we administrate, we always install an 'info.php' file which only contains the phpinfo() function. Now I found that PHP returns the transmitted password in clear text to the browser. The page is stored in the browsers cache or someone could just have a look on my screen. :-(( I think this is a serious security hole. The password should not be returned to the browser in any way, best would be to show some asterisks ('*******'), to show that the variable exists. Ulrich Kapp ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=20750&edit=1
