OpenBiblio 0.5.2-pre4 and earlier allows remote attackers to obtain configuration information via a direct request to phpinfo.php, which calls the phpinfo function.
OpenBiblio 0.5.2-pre4 and earlier is vulnerable to a critical information disclosure flaw. Attackers can remotely access sensitive configuration details, including database credentials and server settings, by directly requesting the phpinfo.php file. This allows for complete system compromise and further exploitation.
Step 1: Target Identification: The attacker identifies a target running OpenBiblio 0.5.2-pre4 or earlier.
Step 2: Vulnerability Discovery: The attacker identifies the existence of phpinfo.php on the target server, typically by scanning for common file paths or directory listings.
Step 3: Direct Request: The attacker sends an HTTP GET request to http://<target>/phpinfo.php.
Step 4: Information Disclosure: The server responds with the output of the phpinfo() function, revealing sensitive configuration details.
Step 5: Exploitation: The attacker uses the gathered information (e.g., database credentials, server paths) to craft further attacks, such as database compromise, file upload vulnerabilities, or privilege escalation.
The vulnerability stems from the inclusion of phpinfo.php in the OpenBiblio installation, which directly calls the PHP phpinfo() function. This function outputs a wealth of information about the PHP environment, including server configuration, installed modules, environment variables, and potentially sensitive data like database connection strings. The lack of access control or authentication on this file allows any remote attacker to retrieve this information. The root cause is a design flaw where a debugging or diagnostic tool (phpinfo) is left enabled in a production environment without proper security measures. There is no specific code flaw like a buffer overflow or race condition, but rather a failure to secure a diagnostic endpoint.