PHP :: Bug #6366 :: Security vulnerability for bad url file names with IIS PHP

Bug #6366	Security vulnerability for bad url file names with IIS PHP
Submitted:	2000-08-26 09:11 UTC	Modified:	2000-08-26 12:42 UTC
From:	joel at intwebservices dot com	Assigned:
Status:	Closed	Package:	Other
PHP Version:	4.0.1pl2	OS:	Windows NT 4.0
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	joel at intwebservices dot com
New email:
PHP Version:		OS:

New Comment:

[2000-08-26 09:11 UTC] joel at intwebservices dot com

If you put a bad file name in the url the error message shows the hard drive directory structure.

No script necessary.
Just put any bad file name in a url for an IIS web server 

cgi version:
Fatal error: Unable to open S:\awebsites\websiteman\html\*a.php in Unknown on line 0

isapi version
Warning: Failed opening 'S:\awebsites\websiteman\html\*a.phpi' for inclusion (include_path='') in Unknown on line 0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2000-08-26 12:38 UTC] stas@php.net

This is intended behaviour, use error_reporting = off if you do not want this.

[2000-08-26 12:42 UTC] zeev@php.net

Actually error_reporting = off is a bit meaningless.
One should use
display_errors = Off
to avoid displaying errors to the end users.  Assuming you're still interested in knowing what error messages were triggered, you should also use
log_errors = On

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri May 09 13:01:28 2025 UTC