php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #26471 Big security hole in directory acces system
Submitted: 2003-11-30 06:13 UTC Modified: 2003-11-30 07:31 UTC
From: hdf at vipmail dot hu Assigned:
Status: Not a bug Package: *Directory/Filesystem functions
PHP Version: 4.3.3 OS: Win32
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: hdf at vipmail dot hu
New email:
PHP Version: OS:

 

 [2003-11-30 06:13 UTC] hdf at vipmail dot hu 
Description:
------------
It is possible (very easily) to scan the whole filesystem structure of the server, on wich the php script is running, including all partitiones and drives.
The problem is I think that there is no limiting option in php, about how many levels upwards in the directory tree are alowed for a script.
I have made a little "Troyan horse php script", wich can scan the filesystem of the server, and even read in the textfiles on it.

Reproduce code:
---------------
http://members.chello.hu/hdf13/MyPrograms/dirlist.zip

Expected result:
----------------
It runs perfectly, but it shouldn't. :)

Actual result:
--------------
The whole server filesystem is visible and browsable and textfiles in it are readeable. Serious security hole!

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-11-30 07:31 UTC] derick@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

It\'s not PHP\'s job to secure a webserver. And we have an \'open_basedir\' setting for this.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 16:01:28 2024 UTC