php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #32934 Files with the PHP Extension execute with "/" instead of "." running the Script
Submitted: 2005-05-03 23:18 UTC Modified: 2005-05-05 10:35 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: bernardino_lopez at yahoo dot com Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 4.3.11 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
 [2005-05-03 23:18 UTC] bernardino_lopez at yahoo dot com 
Description:
------------
Open Any PHP Page and replace the "." of the File Extension by "/"

Example:

http://www.abc.com/phpinfo.php

Replace the URL Address for:

http://www.abc.com/phpinfo/php

The script is going to execute.

Reproduce code:
---------------
No code just replace your URL from the extension ".php" for "/php" 


Expected result:
----------------
Same page execution of the Original page.

Not sure if possible to parse extra parameters to any exposed script to execute....

Actual result:
--------------
Page execute regardles of the 

phpinfo.php
phpinfo/php

At this point looking for a major impact because in case of be able to pass arbitrary commands to the script to execute will create major security issue.

Best Regards Dinooz.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-05-04 18:34 UTC] tony2001@php.net 
Not a PHP problem.
Configure your webserver properly.
 [2005-05-04 19:53 UTC] bernardino_lopez at yahoo dot com 
Do you realize that all the PHP Webserver's in the World need to be configure properly then ???

I'm just surprised it executed, at this time noticed the performance of the server have some degradation in speed, I wonder if multiple mal-formed request can slow down the server in general. but I really don't think is WebServer configuration is execution of any PHP Script.

Will dig more about it and find out if Windows based servers  reply the same way.

Something that I noticed the execution does not affect when run the php from the CLI.

Best Regards Dino.
 [2005-05-05 10:35 UTC] tony2001@php.net 
I realize that all except for you have heard about MultiViews directive. 
Please read Apache's documentation and realize that this "issue" has nothing to do with PHP.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed Sep 18 19:01:28 2024 UTC