[Kolab-devel] [issue1507] Public viewable phpinfo() and more in Server default installation

Sascha Wilde kolab-issues at intevation.de
Tue Nov 21 17:21:52 CET 2006


New submission from Sascha Wilde <wilde at intevation.de>:

The horde derived fbview directories, distributed as part of Kolab
Server, contain certain stuff of unknown status and usefulness.

One of the many public available scripts is test.php, which can be
found as https://kolab.example.com/fbview/test.php an any kolab
server.  This script provides a vast amount of information on the
running PHP installation, including the uncensored output of
phpinfo().  There is no authentication needed to view this site!

This kind of information disclosure is widely recognized as serious
security threat and should be removed as soon as possible.

Further more I would strongly recommend to review the other files in 
/www/fbview, as most of them seem to be executable and it's unclear if
there are more security problems hidden.

----------
assignedto: steffen
messages: 8955
nosy: bernhard, steffen, thomas, wilde
priority: critical
status: unread
title: Public viewable phpinfo() and more in Server default installation
topic: fbview, server
________________________________________________
Kolab issue tracker <kolab-issues at intevation.de>
<https://intevation.de/roundup/kolab/issue1507>
________________________________________________




More information about the devel mailing list