|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #10442 CGI php.exe allows for ANY file to be read from the server
Submitted: 2001-04-22 11:23 UTC Modified: 2001-04-28 16:16 UTC
From: hingleton at freeuk dot com Assigned:
Status: Closed Package: Apache related
PHP Version: 4.0.4pl1 OS: Windows 9x, Windows 2000
Private report: No CVE-ID: None
 [2001-04-22 11:23 UTC] hingleton at freeuk dot com
I'm using Apache 1.3.19 on Windows 2000, with PHP 4.0.4pl1 running as a CGI executable.

Occasionaly whilst testing on localhost, Apache will set the current address as, for example:

This can be modified, to read ANY file from the server.\windows\win.ini

would, for example, print out in plaintext the contents of that file on a Win9x system.

IMO, this represents an enormous potential security problem, although is it dependant on the attacker knowing the path to the php.exe executable, and the filename he wishes to retrive.

This works on my Windows 2000 and Windows 98SE machines, both of which have PHP running as an executable.
The initial setup instructions come from, which set PHP to be installed as c:\php\php.exe by default.

Jakub Burgis


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2001-04-28 16:16 UTC]
This is well covered in the manual under security issues you should compile with the appropriate options.

- James
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Sat May 27 22:03:41 2023 UTC