php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #14909 Allows access to ANY file
Submitted: 2002-01-07 09:34 UTC Modified: 2002-02-27 07:37 UTC
Votes:6
Avg. Score:3.7 ± 1.9
Reproduced:4 of 5 (80.0%)
Same Version:3 (75.0%)
Same OS:4 (100.0%)
From: leighgardiner at hotmail dot com Assigned: imajes (profile)
Status: Closed Package: Apache related
PHP Version: 4.1.1 OS: Windows
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: leighgardiner at hotmail dot com
New email:
PHP Version: OS:

 

 [2002-01-07 09:34 UTC] leighgardiner at hotmail dot com
Well you should have already heard about this but I'll report it anyway becoz we all need a fix very fast! Well when you do this: http://www.example.com/php/php.exe?c:\winnt\repair\sam   (this is an example, you can view any file) it will return the files contents! This happens with ANY windows versions...i don't think it affects linux. Also this will return the install path of PHP: http://www.example.com/php/php4ts.dll
could you please get a path/new vesion out ASAP! This is extremly serious!

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-01-07 09:41 UTC] georg@php.net
Unbelievable, why do you set your cgi-binary in the document root tree!?

See http://www.cert.org/advisories/CA-1996-11.html
 [2002-01-07 09:46 UTC] imajes@php.net
Actually, our documentation tells win32 users to install that way. I'm investigating a better method right now, and will patch the documentation in a short while.

I knew i forgot to do something after i updated my win32 last week!
 [2002-01-07 12:02 UTC] goba@php.net
Georg, our security section has a link to that CERT
advisory for quite a long time now. I have added a
warning and a link to the particular security page
to that setup instruction page for Apache windows.

Please give better instructions for CGI setups
under windows if you can. A setup, where PHP
sritps are portable, so no #!c:\php\php.exe type
of method is doable...

Maybe James can find another way. The Apache doc
only documents the methods we have in the install
and security chapters...

---
Goba
 [2002-01-08 03:28 UTC] imajes@php.net
Ok, 

I have checked in a newer, cleaner version of the relevant documentation. 

As far as the guidelines go, configuring php and apache like that is a massive security risk, (since we've been recommending all production level sites to create a script alias for /php/ and mapping that to their php directory), so I appeal to the apache people (Jimw, etc) to look into ways of fixing it so you don't have to use a scriptalias and action. (or use action with an absolute path).

This is a pretty urgent problem, so i'm going to mark this bug as critical and move it to Apache Related.
 [2002-01-08 07:16 UTC] sander@php.net
As said by others, this is NOT a bug, but a documentation problem.
(btw: assigned to only needs your username)
 [2002-01-08 08:03 UTC] imajes@php.net
the documentation is fixed, i committed this morning/last night.

there is however a bug in the way apache handles the binary -- or the way php acts when called as a binary (you can get premature end of script headers).

What i would like to do is leave this open, and noticeable for some of the apache guys to take a look at and comment on it. 

The docs are fixed.... we just need to wait to see if this is a thing to hand off to apache.
 [2002-01-09 02:17 UTC] leighgardiner at hotmail dot com
so do we have to read the documentation again on how to install PHP?? have u added a fix?
 [2002-01-09 09:56 UTC] christian_holler at web dot de
I have windows xp + apache + php 4.1 installed and the /php/ alias is also definied in my httpd.conf and therefor I am also affected by this exploit. but how can I use php WITHOUT this alias in apache conf? I tried several things but it doesn't work.

chris, 15 =)
 [2002-02-24 03:56 UTC] roberto at berto dot net
For emmergency, a simple check at "auto_prepend_file"  whould help:

<?PHP
if (preg_match("/^\/php\/php.exe/i",$_SERVER["REQUEST_URI"])) {
print "No Hack"; exit;
}
?>
 [2002-02-27 07:37 UTC] jan@php.net
we have a manual chapter for securing the cgi-bin installation.
http://www.php.net/manual/en/security.cgi-bin.php
 [2002-03-03 03:24 UTC] sjoerdsantema at hotmail dot com
I had someone trying to exploit this bug like two months ago. I accidently saw it in my apache logs someone was trying to do this.

This only happens if you php dir is in your webserver root?
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 00:01:28 2024 UTC