The phpinfo() function is commonly used to check configuration settings and is also a valuable debugging tool for the system. For this reason, access to pages using phpinfo() is likely to be restricted to administrator use. If an attacker can determine the location of a site with phpinfo() enabled on a page and convince a user to follow a malicious link to that page, it would be possible to execute malicious HTML or scripting on the user's system. This could allow the compromise of user information and cookies, and lead to a further integrity compromise of the user system.
Websites do not normally leave the phpinfo() function exposed on a web page, which is required for
this attack. The complexity of this attack includes operating a website with a malicious link to a different website with the phpinfo() function exposed on the page. This allows the malicious website operator to exploit the vulnerability in the phpinfo() function to compromise the user's information or system.
This vulnerability was first detailed in Alert 9961. It was then fixed in PHP version 4.4.1; however, it has been reintroduced in PHP 4.4.3, as it was still possible to bypass the escaping of the affected variables. Sources indicate that this vulnerability has been fixed in PHP 4.4.2; however, this cannot be determined.