From: [EMAIL PROTECTED] Operating system: Windows 9x, Windows 2000 PHP version: 4.0.4pl1 PHP Bug Type: Apache related Bug description: CGI php.exe allows for ANY file to be read from the server I'm using Apache 1.3.19 on Windows 2000, with PHP 4.0.4pl1 running as a CGI executable. Occasionaly whilst testing on localhost, Apache will set the current address as, for example: http://127.0.0.1/php/php.exe?/path/to/index.php This can be modified, to read ANY file from the server. http://127.0.0.1/php/php.exe?c:\windows\win.ini would, for example, print out in plaintext the contents of that file on a Win9x system. IMO, this represents an enormous potential security problem, although is it dependant on the attacker knowing the path to the php.exe executable, and the filename he wishes to retrive. This works on my Windows 2000 and Windows 98SE machines, both of which have PHP running as an executable. The initial setup instructions come from http://www.phpbuilder.com/, which set PHP to be installed as c:\php\php.exe by default. Jakub Burgis [EMAIL PROTECTED] -- Edit Bug report at: http://bugs.php.net/?id=10442&edit=1 -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
