PHP :: Bug #14943 :: security issue with apache's ScriptAlias and php.exe

Bug #14943	security issue with apache's ScriptAlias and php.exe
Submitted:	2002-01-09 01:22 UTC	Modified:	2002-06-18 19:13 UTC
From:	LtGuide at hotmail dot com	Assigned:
Status:	Not a bug	Package:	Apache related
PHP Version:	4.1.1	OS:	98
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	LtGuide at hotmail dot com
New email:
PHP Version:		OS:

New Comment:

[2002-01-09 01:22 UTC] LtGuide at hotmail dot com

Apache 1.3.22
PHP 4.1.1
...the latest versions at the moment.

in the httpd.conf of apache, i have:

AddType application/x-httpd-php .php
ScriptAlias /php/ "c:/mirc/apache/php/"
Action application/x-httpd-php "/php/php.exe"

typing this into my browser:
http://127.0.0.1/php/php.exe?C:\mirc\apache\apache\logs\access.log
allowed me to view the file.
i noticed the extra traffic heading out from my computer and checked the access.log myself and found someone using php.exe and the scriptalias like this.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-01-09 01:50 UTC] zak@php.net

Thank your for your report! However, please review the bug 
database for bug reports before submitting new ones.

[2002-06-18 19:13 UTC] sniper@php.net

..and add your comments to those reports.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue May 06 23:01:28 2025 UTC