1 Cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP 5.1.2
2 and 4.4.2 allows remote attackers to inject arbitrary web script or HTML
3 via long array variables, including (1) a large number of dimensions or
4 (2) long values, which prevents HTML tags from being removed.
6 Patch pulled from cvs.php.net
8 --- php-5.1.2/ext/standard/info.c 2006/01/01 12:50:15 1.249.2.7
9 +++ php-5.1.2/ext/standard/info.c 2006/03/30 19:58:18 1.249.2.9
12 PHPAPI extern char *php_ini_opened_path;
13 PHPAPI extern char *php_ini_scanned_files;
15 +static int php_info_write_wrapper(const char *str, uint str_length)
19 + int new_len, written;
20 + char *elem_esc = php_escape_html_entities((char *)str, str_length, &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
22 + written = php_body_write(elem_esc, new_len TSRMLS_CC);
30 /* {{{ _display_module_info
35 if (Z_TYPE_PP(tmp) == IS_ARRAY) {
38 - MAKE_STD_ZVAL(tmp3);
40 if (!sapi_module.phpinfo_as_text) {
43 - php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
45 - zend_print_zval_r(*tmp, 0 TSRMLS_CC);
47 - php_ob_get_buffer(tmp3 TSRMLS_CC);
48 - php_end_ob_buffer(0, 0 TSRMLS_CC);
50 - if (!sapi_module.phpinfo_as_text) {
51 - elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
54 + zend_print_zval_ex((zend_write_func_t) php_info_write_wrapper, *tmp, 0);
57 - PUTS(Z_STRVAL_P(tmp3));
58 + zend_print_zval_r(*tmp, 0 TSRMLS_CC);
60 - zval_ptr_dtor(&tmp3);
62 } else if (Z_TYPE_PP(tmp) != IS_STRING) {
64 zval_copy_ctor(&tmp2);