php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #66160 PHP file used to load CSS and JS (cached.php) on new site reveals source code
Submitted: 2013-11-23 16:29 UTC Modified: 2013-11-23 17:59 UTC
From: josiah at josiahkeller dot com Assigned:
Status: Not a bug Package: Website problem
PHP Version: Irrelevant OS: N/A
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
17 + 15 = ?
Subscribe to this entry?

 
 [2013-11-23 16:29 UTC] josiah at josiahkeller dot com 
Description:
------------
In the new site redesign, a file called "cached.php" is used in the href for the stylesheet <link> tags, and in the src for a few <script> tags.  A GET parameter called "f" determines what file is served.  However, it looks like just about any path can be manually passed in that parameter, and the script will output the contents of that file, even if it's a PHP source code file.  Not knowing what files are accessible this way, I thought this should be reported, as for all I know there could be sensitive info that could be found out this way.

Expected result:
----------------
It probably ought to reject requests to .php or .inc files.

Actual result:
--------------
It doesn't.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-11-23 16:56 UTC] johannes@php.net
-Type: Security +Type: Bug
 [2013-11-23 16:56 UTC] johannes@php.net 
This seems to be limited to files in the webroot, all files there are public and accessible from our git or rsync servers. Removing security flags so that the full web team can take a look and decide whether extra checks make sense ...
 [2013-11-23 17:59 UTC] bjori@php.net
-Status: Open +Status: Not a bug
 [2013-11-23 17:59 UTC] bjori@php.net 
There has always been a "view source" link on all our web pages.

We don't have any sensitive files on php.net, and all of them can be retrieved from rsync or git.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat May 04 06:01:35 2024 UTC