Please, don't tell the world which PHP version I'm running #214
Comments
|
As this is not shown to everyone, but only the admin the first time it installs Shaarli on a new machine that doesn't fit the requirements, please close this issue. Shaarli is not "telling the world" (e.g. displaying the exact version number of PHP on all pages). Instead, it is checking that you have a recent enough version of PHP installed, and doesn't run if the version is too old, displaying the current version number to you, the system administrator. Assuming you have a too old version of PHP, it would make no sense for you to leave the Shaarli code on the machine (you can't use it anyway, so don't leave extra code running on your machine). From the link you mention, section "Am I Vulnerable To 'Sensitive Data Exposure'?":
None of that applies to this issue, which is source code checking that it's running on a recent-enough version of PHP, and displaying you an error message if the server doesn't pass the requirements. Nobody would see this error message, since it would mean Shaarli can't run on your machine. Even if this was removed from the PHP code, it would still need to mention somewhere, e.g. "Shaarli runs on PHP [isn't this already disclosing sensitive information in itself], version 5.1.0. or later". Also, PHP 5.1 was released on 24 November 2005, and is unsupported since 24 August 2006. If you're seeing this error message, it means you're running such an antique version of PHP, that you probably have other issues to think about then this page that displayed the version once to your sysadmin... (note that an older version 4.4 was supported a bit later, but that ended on 7 August 2008, so it doesn't change my message) |
|
As mentioned, this is only printed if the PHP version is lower than 5.1.0 and Shaarli cannot continue. If this is the case you should uninstall it to prevent disclosing the version number, or upgrade your PHP installation. If you are running an obsolete version of PHP, you have bigger problems than the version number being displayed. @Nicals please comment if you think I missed something, I think this can be closed. |
|
Yeah, I don't agree. You say: "If this is the case you should uninstall it to prevent disclosing the version number". Well... This is the issue: the version number is displayed. And this is a basic security issue. Unfortunately, not every Shaarli user is a sysadmin, nor is aware of anything concerning infosec. A rookie user that want to install it on its old box will find the error, will want to upgrade later because he don't have time and forget about it. Leaving his vulnerable box. The user SHOULD update its PHP version, but he not always WILL do it (especially for a hobbyist project like this one). For example, with a basic google dork: http://m.dailypharm.com/newsView.html?ID=192090 So yes, this is not credit card number disclosure, but it is server internal info disclosure. Such a message should lies in logs and not on a public space. This IS a security issue. Not a critical one, but still a security issue. |
|
Ok @Nicals what do you suggest? We could change the message to Note that we have to do this in http://github.com/shaarli/Shaarli (community fork) as we don't have push access to @sebsauvage's repo (as you can see, it's unmaintained). We should still inform the user that there is a problem with his PHP version. Only logging and displaying no error message would be confusing. As you said not every Shaarli user is a sysadmin |
|
Didn't see that this project wasn't maintained anymore. Continuing here |
|
Fixed in shaarli#81 |
Its not a good idea to print the current server PHP version to everyone accessing the site.
You should set this in a log. This issue is part of OWASP top ten vulnerabilities
https://github.com/sebsauvage/Shaarli/blob/master/index.php#L124
The text was updated successfully, but these errors were encountered: