Source Code Disclosure - CVE-2012-1823

Risk:
High

Type:
Active

CWE:
CWE-20

Summary: Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped “=” character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML.

Solution: Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives.

Other info: <?php $x=0; echo '<h1>Welcome!</h1>'; ?>

References

https://owasp.org/www-community/vulnerabilities/Improper_Data_Validation

https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html

https://cwe.mitre.org/data/definitions/89.html

Latest Security News

Latest CVE List

Common Alerts

InformationalUser Controllable JavaScript Event (XSS)
MediumApplication Error Disclosure via WebSockets
InformationalModern Web Application
InformationalCORS Header
HighPath Traversal
HighXML External Entity Attack
HighCross Site Scripting (Reflected)
HighCORS Misconfiguration
HighGeneric Padding Oracle
LowInformation Disclosure - Sensitive Information in Browser sessionStorage

Common CWEs

Free online web security scanner

Don't show website scan report rating on the leaderboard