PHP :: Bug #10442 :: CGI php.exe allows for ANY file to be read from the server

Bug #10442	CGI php.exe allows for ANY file to be read from the server
Submitted:	2001-04-22 11:23 UTC	Modified:	2001-04-28 16:16 UTC
From:	hingleton at freeuk dot com	Assigned:
Status:	Closed	Package:	Apache related
PHP Version:	4.0.4pl1	OS:	Windows 9x, Windows 2000
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2001-04-22 11:23 UTC] hingleton at freeuk dot com

I'm using Apache 1.3.19 on Windows 2000, with PHP 4.0.4pl1 running as a CGI executable.

Occasionaly whilst testing on localhost, Apache will set the current address as, for example:

http://127.0.0.1/php/php.exe?/path/to/index.php

This can be modified, to read ANY file from the server.

http://127.0.0.1/php/php.exe?c:\windows\win.ini

would, for example, print out in plaintext the contents of that file on a Win9x system.

IMO, this represents an enormous potential security problem, although is it dependant on the attacker knowing the path to the php.exe executable, and the filename he wishes to retrive.

This works on my Windows 2000 and Windows 98SE machines, both of which have PHP running as an executable.
The initial setup instructions come from http://www.phpbuilder.com/, which set PHP to be installed as c:\php\php.exe by default.

Jakub Burgis
hingleton@freeuk.com

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-04-28 16:16 UTC] jmoore@php.net

This is well covered in the manual under security issues you should compile with the appropriate options.

- James

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Apr 20 03:01:28 2024 UTC