php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #10442 CGI php.exe allows for ANY file to be read from the server
Submitted: 2001-04-22 11:23 UTC Modified: 2001-04-28 16:16 UTC
From: hingleton at freeuk dot com Assigned:
Status: Closed Package: Apache related
PHP Version: 4.0.4pl1 OS: Windows 9x, Windows 2000
Private report: No CVE-ID: None
 [2001-04-22 11:23 UTC] hingleton at freeuk dot com
I'm using Apache 1.3.19 on Windows 2000, with PHP 4.0.4pl1 running as a CGI executable.

Occasionaly whilst testing on localhost, Apache will set the current address as, for example:

http://127.0.0.1/php/php.exe?/path/to/index.php

This can be modified, to read ANY file from the server.

http://127.0.0.1/php/php.exe?c:\windows\win.ini

would, for example, print out in plaintext the contents of that file on a Win9x system.

IMO, this represents an enormous potential security problem, although is it dependant on the attacker knowing the path to the php.exe executable, and the filename he wishes to retrive.

This works on my Windows 2000 and Windows 98SE machines, both of which have PHP running as an executable.
The initial setup instructions come from http://www.phpbuilder.com/, which set PHP to be installed as c:\php\php.exe by default.

Jakub Burgis
hingleton@freeuk.com

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-04-28 16:16 UTC] jmoore@php.net
This is well covered in the manual under security issues you should compile with the appropriate options.

- James
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Feb 18 11:01:26 2020 UTC