https://www.exploit-db.com/exploits/22725
https://www.securityfocus.com/bid/82859
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-558

PHP4.2.3版本的phpinfo函数存在跨站脚本(XSS)漏洞。远程攻击者可以借助query字符串参数注入任意web脚本或HTML，正如使用soinfo.php。

source: http://www.securityfocus.com/bid/7805/info

Scripts that include the PHP phpinfo() debugging function may be prone to cross-site scripting attacks. This could permit remote attackers to create a malicious link to a vulnerable PHP script that includes hostile client-side script code or HTML. If this link is visited, the attacker-supplied code may be rendered in the browser of the user who visit the malicious link. 

http://www.example.com/info.php?variable=[code]

where [code] equals hostile HTML or script code.

PHP PHP 4.2.3

+

EnGarde Secure Linux 1.0.1

+

MandrakeSoft Corporate Server 2.1 x86_64

+

MandrakeSoft Corporate Serv

来源:www.techie.hopto.org
链接:http://www.techie.hopto.org/vulns/2002-36.txt
来源:XF
名称:php-phpinfo-xss(10355)
链接:http://www.iss.net/security_center/static/10355.php
来源:VULNWATCH
名称:20021013PHPInformationFunctionsMayAllowCross-SiteScripting
链接:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0021.html
来源:BUGTRAQ
名称:20030603PHPXSSexploitinphpinfo()
链接:http://archives.neohapsis.com/archives/bugtraq/2003-06/0027.html