PHP :: Bug #14909 :: Allows access to ANY file

Bug #14909

Allows access to ANY file

Submitted:

2002-01-07 09:34 UTC

Modified:

2002-02-27 07:37 UTC

Votes:	6
Avg. Score:	3.7 ± 1.9
Reproduced:	4 of 5 (80.0%)
Same Version:	3 (75.0%)
Same OS:	4 (100.0%)

From:

leighgardiner at hotmail dot com

Assigned:

imajes (profile)

Status:

Closed

Package:

Apache related

PHP Version:

4.1.1

OS:

Windows

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	leighgardiner at hotmail dot com
New email:
PHP Version:		OS:

New Comment:

[2002-01-07 09:34 UTC] leighgardiner at hotmail dot com

Well you should have already heard about this but I'll report it anyway becoz we all need a fix very fast! Well when you do this: http://www.example.com/php/php.exe?c:\winnt\repair\sam   (this is an example, you can view any file) it will return the files contents! This happens with ANY windows versions...i don't think it affects linux. Also this will return the install path of PHP: http://www.example.com/php/php4ts.dll
could you please get a path/new vesion out ASAP! This is extremly serious!

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-01-07 09:41 UTC] georg@php.net

Unbelievable, why do you set your cgi-binary in the document root tree!?

See http://www.cert.org/advisories/CA-1996-11.html

[2002-01-07 09:46 UTC] imajes@php.net

Actually, our documentation tells win32 users to install that way. I'm investigating a better method right now, and will patch the documentation in a short while.

I knew i forgot to do something after i updated my win32 last week!

[2002-01-07 12:02 UTC] goba@php.net

Georg, our security section has a link to that CERT
advisory for quite a long time now. I have added a
warning and a link to the particular security page
to that setup instruction page for Apache windows.

Please give better instructions for CGI setups
under windows if you can. A setup, where PHP
sritps are portable, so no #!c:\php\php.exe type
of method is doable...

Maybe James can find another way. The Apache doc
only documents the methods we have in the install
and security chapters...

---
Goba

[2002-01-08 03:28 UTC] imajes@php.net

Ok, 

I have checked in a newer, cleaner version of the relevant documentation. 

As far as the guidelines go, configuring php and apache like that is a massive security risk, (since we've been recommending all production level sites to create a script alias for /php/ and mapping that to their php directory), so I appeal to the apache people (Jimw, etc) to look into ways of fixing it so you don't have to use a scriptalias and action. (or use action with an absolute path).

This is a pretty urgent problem, so i'm going to mark this bug as critical and move it to Apache Related.

[2002-01-08 07:16 UTC] sander@php.net

As said by others, this is NOT a bug, but a documentation problem.
(btw: assigned to only needs your username)

[2002-01-08 08:03 UTC] imajes@php.net

the documentation is fixed, i committed this morning/last night.

there is however a bug in the way apache handles the binary -- or the way php acts when called as a binary (you can get premature end of script headers).

What i would like to do is leave this open, and noticeable for some of the apache guys to take a look at and comment on it. 

The docs are fixed.... we just need to wait to see if this is a thing to hand off to apache.

[2002-01-09 02:17 UTC] leighgardiner at hotmail dot com

so do we have to read the documentation again on how to install PHP?? have u added a fix?

[2002-01-09 09:56 UTC] christian_holler at web dot de

I have windows xp + apache + php 4.1 installed and the /php/ alias is also definied in my httpd.conf and therefor I am also affected by this exploit. but how can I use php WITHOUT this alias in apache conf? I tried several things but it doesn't work.

chris, 15 =)

[2002-02-24 03:56 UTC] roberto at berto dot net

For emmergency, a simple check at "auto_prepend_file"  whould help:

<?PHP
if (preg_match("/^\/php\/php.exe/i",$_SERVER["REQUEST_URI"])) {
print "No Hack"; exit;
}
?>

[2002-02-27 07:37 UTC] jan@php.net

we have a manual chapter for securing the cgi-bin installation.
http://www.php.net/manual/en/security.cgi-bin.php

[2002-03-03 03:24 UTC] sjoerdsantema at hotmail dot com

I had someone trying to exploit this bug like two months ago. I accidently saw it in my apache logs someone was trying to do this.

This only happens if you php dir is in your webserver root?

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Nov 02 00:00:01 2025 UTC