PHP :: Bug #9353 :: Require command reads /etc/passwd

Bug #9353	Require command reads /etc/passwd
Submitted:	2001-02-20 09:26 UTC	Modified:	2001-02-20 13:35 UTC
From:	sebastian at wolfgarten dot com	Assigned:
Status:	Closed	Package:	Unknown/Other Function
PHP Version:	4.0.1pl2	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	sebastian at wolfgarten dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2001-02-20 09:26 UTC] sebastian at wolfgarten dot com

Hello,

I have found a bug in PHP 4.01pl2 and maybe it exist in all other php versions too. A php script can read all files on the system when the read flag for everyone is set for that file. This code shows the problem:

<?
    require('../../../../../../../etc/passwd');
?>

It is not a very serious bug but by reading local files a hacker might get important information he (or she) could use to hack into the system.

Bye
Sebastian Wolfgarten

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-02-20 13:35 UTC] sas@php.net

Please check out the security section of the manual, 
especially regarding the safe mode feature.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Oct 25 02:00:01 2025 UTC