PHP :: Bug #9353 :: Require command reads /etc/passwd

Bug #9353	Require command reads /etc/passwd
Submitted:	2001-02-20 09:26 UTC	Modified:	2001-02-20 13:35 UTC
From:	sebastian at wolfgarten dot com	Assigned:
Status:	Closed	Package:	Unknown/Other Function
PHP Version:	4.0.1pl2	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	sebastian at wolfgarten dot com
New email:
PHP Version:		OS:

New Comment:

[2001-02-20 09:26 UTC] sebastian at wolfgarten dot com

Hello,

I have found a bug in PHP 4.01pl2 and maybe it exist in all other php versions too. A php script can read all files on the system when the read flag for everyone is set for that file. This code shows the problem:

<?
    require('../../../../../../../etc/passwd');
?>

It is not a very serious bug but by reading local files a hacker might get important information he (or she) could use to hack into the system.

Bye
Sebastian Wolfgarten

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-02-20 13:35 UTC] sas@php.net

Please check out the security section of the manual, 
especially regarding the safe mode feature.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 13:01:31 2024 UTC