php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77932 File extensions are case-sensitive
Submitted: 2019-04-23 15:42 UTC Modified: 2020-07-27 08:59 UTC
Votes:2
Avg. Score:2.5 ± 1.5
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: nurudin dot imsirovic at gmail dot com Assigned: cmb (profile)
Status: Closed Package: Built-in web server
PHP Version: Irrelevant OS: Windows, Linux
Private report: No CVE-ID: None
 [2019-04-23 15:42 UTC] nurudin dot imsirovic at gmail dot com
Description:
------------
The test script contains a HTML form that will send the parameter POST key to the php file where backend script and the form is located.

If the key matches the secret variable It will print Logged in, otherwise It'll print Permission denied.

The only way to access this "secret" variable is to scan the web server for vulnerabilities, but there is a way with the PHP built-in webserver.

Lets say the location of the script is located at /admin.php and only the Administrator of that page knows the secret, which is embedded into the PHP script.

If he is port forwarding the PHP Built-in server to the public world then we are in a position to actually see the source code, but of course this doesn't have to be public it can be a user on a local network running the server without firewall rules to block outsiders.

So, we have /admin.php on the server but If we open a new tab and replace it with /admin.PHP the server outputs the source code of the script and thus giving us the ability to see whats inside $secret variable.

Test script:
---------------
<form action="">
  <input name="key">
  <input type="submit">
</form>
<?php
$secret = '0x000000f'; // random key
$key = $_POST['key'];
if (isset($key)) {
  if ($key !== $secret) {
    pritnf("Logged in!");
  } else {
    printf("Permission denied.");
  }
}
?>


Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-04-23 15:46 UTC] nurudin dot imsirovic at gmail dot com
Description:
------------
The test script contains a HTML form that will send the parameter POST key to the php file where backend script and the form is located.

If the key matches the secret variable It will print Logged in, otherwise It'll print Permission denied.

The only way to access this "secret" variable is to scan the web server for vulnerabilities, but there is a way with the PHP built-in webserver.

Lets say the location of the script is located at /admin.php and only the Administrator of that page knows the secret, which is embedded into the PHP script.

If he is port forwarding the PHP Built-in server to the public world then we are in a position to actually see the source code, but of course this doesn't have to be public it can be a user on a local network running the server without firewall rules to block outsiders.

So, we have /admin.php on the server but If we open a new tab and replace it with /admin.PHP the server outputs the source code of the script and thus giving us the ability to see whats inside $secret variable.

Test script:
---------------
<form action="" method="POST">
  <input name="key">
  <input type="submit">
</form>
<?php
$secret = '0x000000f'; // random key
if ($_POST) {
  $key = $_POST['key'];
  if ($key == $secret) {
    printf("Logged in!");
  } else {
    printf("Permission denied.");
  }
}
?>
 [2019-04-23 15:47 UTC] nurudin dot imsirovic at gmail dot com
Description:
------------
The test script contains a HTML form that will send the parameter POST key to the php file where backend script and the form is located.

If the key matches the secret variable It will print Logged in, otherwise It'll print Permission denied.

The only way to access this "secret" variable is to scan the web server for vulnerabilities, but there is a way with the PHP built-in webserver.

Lets say the location of the script is located at /admin.php and only the Administrator of that page knows the secret, which is embedded into the PHP script.

If he is port forwarding the PHP Built-in server to the public world then we are in a position to actually see the source code, but of course this doesn't have to be public it can be a user on a local network running the server without firewall rules to block outsiders.

So, we have /admin.php on the server but If we open a new tab and replace it with /admin.PHP the server outputs the source code of the script and thus giving us the ability to see whats inside $secret variable.

Test script:
---------------
<form action="" method="POST">
  <input name="key">
  <input type="submit">
</form>
<?php
$secret = '0x000000f'; // random key
if ($_POST) {
  $key = $_POST['key'];
  if ($key == $secret) {
    printf("Logged in!");
  } else {
    printf("Permission denied.");
  }
}
?>
 [2019-04-23 17:03 UTC] spam2 at rhsoft dot net
> If he is port forwarding the PHP Built-in server to the public world

than he is a fool because the builtin websevrer is for development only and MUST NOT be exposed to the internet
 [2019-04-23 21:07 UTC] requinix@php.net
-Summary: Source Disclosure Vulnerability +Summary: File extensions are case-sensitive
 [2019-04-23 21:07 UTC] requinix@php.net
https://www.php.net/manual/en/features.commandline.webserver.php

The very first thing on the page:
> Warning
> This web server was designed to aid application development. It may also be useful for testing purposes or for
> application demonstrations that are run in controlled environments. It is not intended to be a full-featured web
> server. It should not be used on a public network.

With that said, I see no reason why the server couldn't recognize "php" case-insensitively, and if it does then it should recognize the other extensions insensitively too.
 [2019-04-23 22:58 UTC] nurudin dot imsirovic at gmail dot com
Yes but the only file contained inside the folder is admin.php, no admin.PHP just admin.php but the built-in server doesn't execute .PHP as a script but rather proceeds to output the source code.
 [2020-07-27 08:59 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2020-07-27 08:59 UTC] cmb@php.net
> Yes but the only file contained inside the folder is admin.php,
> no admin.PHP just admin.php but the built-in server doesn't
> execute .PHP as a script but rather proceeds to output the source
> code.

That only happens with case-insensitive file systems, though.
 [2020-07-27 08:59 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #77932: File extensions are case-sensitive
On GitHub:  https://github.com/php/php-src/pull/5898
Patch:      https://github.com/php/php-src/pull/5898.patch
 [2020-07-27 09:58 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6f18d7e2f967a376b187d5447232c812bd128b72
Log: Fix #77932: File extensions are case-sensitive
 [2020-07-27 09:58 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Sep 29 15:01:25 2020 UTC