PHP :: Bug #14943 :: security issue with apache's ScriptAlias and php.exe

Bug #14943	security issue with apache's ScriptAlias and php.exe
Submitted:	2002-01-09 01:22 UTC	Modified:	2002-06-18 19:13 UTC
From:	LtGuide at hotmail dot com	Assigned:
Status:	Not a bug	Package:	Apache related
PHP Version:	4.1.1	OS:	98
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	LtGuide at hotmail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2002-01-09 01:22 UTC] LtGuide at hotmail dot com

Apache 1.3.22
PHP 4.1.1
...the latest versions at the moment.

in the httpd.conf of apache, i have:

AddType application/x-httpd-php .php
ScriptAlias /php/ "c:/mirc/apache/php/"
Action application/x-httpd-php "/php/php.exe"

typing this into my browser:
http://127.0.0.1/php/php.exe?C:\mirc\apache\apache\logs\access.log
allowed me to view the file.
i noticed the extra traffic heading out from my computer and checked the access.log myself and found someone using php.exe and the scriptalias like this.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-01-09 01:50 UTC] zak@php.net

Thank your for your report! However, please review the bug 
database for bug reports before submitting new ones.

[2002-06-18 19:13 UTC] sniper@php.net

..and add your comments to those reports.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Jun 18 08:01:31 2025 UTC