php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #66160 PHP file used to load CSS and JS (cached.php) on new site reveals source code
Submitted: 2013-11-23 16:29 UTC Modified: 2013-11-23 17:59 UTC
From: josiah at josiahkeller dot com Assigned:
Status: Not a bug Package: Website problem
PHP Version: Irrelevant OS: N/A
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: josiah at josiahkeller dot com
New email:
PHP Version: OS:

 

 [2013-11-23 16:29 UTC] josiah at josiahkeller dot com 
Description:
------------
In the new site redesign, a file called "cached.php" is used in the href for the stylesheet <link> tags, and in the src for a few <script> tags.  A GET parameter called "f" determines what file is served.  However, it looks like just about any path can be manually passed in that parameter, and the script will output the contents of that file, even if it's a PHP source code file.  Not knowing what files are accessible this way, I thought this should be reported, as for all I know there could be sensitive info that could be found out this way.

Expected result:
----------------
It probably ought to reject requests to .php or .inc files.

Actual result:
--------------
It doesn't.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-11-23 16:56 UTC] johannes@php.net
-Type: Security +Type: Bug
 [2013-11-23 16:56 UTC] johannes@php.net 
This seems to be limited to files in the webroot, all files there are public and accessible from our git or rsync servers. Removing security flags so that the full web team can take a look and decide whether extra checks make sense ...
 [2013-11-23 17:59 UTC] bjori@php.net
-Status: Open +Status: Not a bug
 [2013-11-23 17:59 UTC] bjori@php.net 
There has always been a "view source" link on all our web pages.

We don't have any sensitive files on php.net, and all of them can be retrieved from rsync or git.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed Apr 24 23:01:34 2024 UTC