CVE-2002-1149 in IP.Boardinfo

Summary

by MITRE

The installation procedure for Invision Board suggests that users install the phpinfo.php program under the web root, which leaks sensitive information such as absolute pathnames, OS information, and PHP settings.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 09/08/2025

The vulnerability described in CVE-2002-1149 represents a critical security flaw in the Invision Board software installation process that exposes sensitive system information to unauthorized users. This issue arises from the software's recommendation to place the phpinfo.php file within the web root directory during installation, creating an unintentional information disclosure channel that significantly weakens the system's security posture. The flaw demonstrates poor security hygiene in software distribution practices and highlights the importance of secure configuration management during deployment.

The technical nature of this vulnerability stems from the phpinfo.php script's inherent functionality which displays detailed configuration information about the php environment. When this script is accessible through a web browser, it reveals critical system details including absolute file paths, operating system identifiers, php configuration settings, and potentially other sensitive metadata. This information leakage directly maps to CWE-200, which categorizes information exposure vulnerabilities where sensitive data is inadvertently disclosed to unauthorized parties. The vulnerability exploits the principle of least privilege by providing attackers with unnecessary system information that could be leveraged for further exploitation attempts.

The operational impact of this vulnerability extends beyond simple information disclosure, as the leaked pathnames and system details provide attackers with valuable reconnaissance data for subsequent attack vectors. The absolute path information disclosed through phpinfo.php can be used to understand the file system structure and potentially identify other vulnerable components or misconfigurations within the system. Additionally, OS information and PHP version details help attackers determine which specific exploits might be applicable to the target environment, significantly reducing the attack surface analysis time required for compromise. This vulnerability directly aligns with ATT&CK technique T1212, which focuses on exploiting software vulnerabilities to gain access to sensitive information.

Security professionals should implement immediate mitigations by removing or restricting access to phpinfo.php files in production environments, ensuring that such diagnostic scripts are never deployed in publicly accessible web directories. Organizations must establish robust security configuration management processes that validate installation procedures and eliminate recommendations that could introduce security risks. The vulnerability underscores the critical importance of secure coding practices and proper security reviews of installation documentation to prevent accidental exposure of sensitive system information. Regular security audits should verify that no diagnostic or testing scripts remain accessible in production environments, and access controls should be implemented to prevent unauthorized access to system configuration information.

Disclosure

10/11/2002

Moderation

accepted

Entry

VDB-19067

CPE

ready

EPSS

0.01970

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!