PHP :: Bug #67036 :: Local File Inclusion Vulnerability on php.net

Bug #67036	Local File Inclusion Vulnerability on php.net
Submitted:	2014-04-06 15:56 UTC	Modified:	2014-04-06 20:40 UTC
From:	ghulianisikh at gmail dot com	Assigned:
Status:	Not a bug	Package:	Website problem
PHP Version:	Irrelevant	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

[2014-04-06 15:56 UTC] ghulianisikh at gmail dot com

Description:
------------
Hey, 
While pentesting http://php.net/ , i found a critical LFI (Local File Inclusion) Vulnerability . This vulnerability leads to disclose source code of any php file on the server. 
Following are the details: 

This is the url that is vulnerable to LFI . 
Fow example: 
http://in3.php.net/cached.php?f=index.php
http://in3.php.net/cached.php?f=downloads.php

I was also able to grab source of pear directory index page. 
http://in3.php.net/cached.php?f=pear/index.php [Right Click -> View Source]


Please let me know if you need any help with reproduction of bug. 
Thank You !

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-04-06 20:40 UTC] stas@php.net

-Status: Open +Status: Not a bug -Type: Security +Type: Bug

[2014-04-06 20:40 UTC] stas@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

PHP website sources are public.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Mar 15 05:01:28 2025 UTC