ID: 10442
Updated by: jmoore
Old-Status: Open
Status: Closed
Bug Type: Apache related
PHP Version: 4.0.4pl1
Assigned To: 

This is well covered in the manual under security issues you should compile with the 
appropriate options.

- James

Previous Comments:

[2001-04-22 11:23:10] [EMAIL PROTECTED]
I'm using Apache 1.3.19 on Windows 2000, with PHP 4.0.4pl1 running as a CGI 

Occasionaly whilst testing on localhost, Apache will set the current address as, for 

This can be modified, to read ANY file from the server.

would, for example, print out in plaintext the contents of that file on a Win9x 

IMO, this represents an enormous potential security problem, although is it dependant 
on the attacker knowing the path to the php.exe executable, and the filename he wishes 
to retrive.

This works on my Windows 2000 and Windows 98SE machines, both of which have PHP 
running as an executable.
The initial setup instructions come from, which set PHP to 
be installed as c:phpphp.exe by default.

Jakub Burgis


ATTENTION! Do NOT reply to this email!
To reply, use the web interface found at

PHP Development Mailing List <>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to