PHP :: Bug #6366 :: Security vulnerability for bad url file names with IIS PHP

Bug #6366	Security vulnerability for bad url file names with IIS PHP
Submitted:	2000-08-26 09:11 UTC	Modified:	2000-08-26 12:42 UTC
From:	joel at intwebservices dot com	Assigned:
Status:	Closed	Package:	Other
PHP Version:	4.0.1pl2	OS:	Windows NT 4.0
Private report:	No	CVE-ID:	None

View Developer Edit

[2000-08-26 09:11 UTC] joel at intwebservices dot com

If you put a bad file name in the url the error message shows the hard drive directory structure.

No script necessary.
Just put any bad file name in a url for an IIS web server 

cgi version:
Fatal error: Unable to open S:\awebsites\websiteman\html\*a.php in Unknown on line 0

isapi version
Warning: Failed opening 'S:\awebsites\websiteman\html\*a.phpi' for inclusion (include_path='') in Unknown on line 0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2000-08-26 12:38 UTC] stas@php.net

This is intended behaviour, use error_reporting = off if you do not want this.

[2000-08-26 12:42 UTC] zeev@php.net

Actually error_reporting = off is a bit meaningless.
One should use
display_errors = Off
to avoid displaying errors to the end users.  Assuming you're still interested in knowing what error messages were triggered, you should also use
log_errors = On

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 24 15:00:01 2025 UTC