Hi Folks:

I haven't been reading the list lately.  I went to the mailing list archives
on Google and MARC to see what's been said about the "Apache Win32 PHP.EXE
Remote File Disclosure Vulnerability."  I was surprised to find only one post
to the php-dev list:

> As I responded on Bugtraq, this is, if anything, an Apache bug, not a PHP 
> bug.  It could be a configuration bug too, but the bottom line is the 
> Apache doesn't determine that the file is a PHP file when requested in that 
> way, and doesn't even invoke PHP on it.
> Zeev


I was surprised that nothing is mentioned about it on the PHP web site.  I
did a search on the whole site for "apache File Disclosure" and got no hits.

Similarly, looking in the Apache Bug Report Database brought up nothing. 

So, I wanted to give the php-general list a heads up on this matter.  As Zeev
points out, it's an Apache problem, but it's something we, as PHP users, will
run into...

vvvvvvvvvvvvvvvv   clip from Security Focus  vvvvvvvvvvvvvvvvvvvv

SecurityFocus Newsletter #127.  Tue, 15 Jan 2002.

1. Apache Win32 PHP.EXE Remote File Disclosure Vulnerability
BugTraq ID: 3786
Remote: Yes
Date Published: Jan 04 2002 12:00A
Relevant URL:

A vulnerability exists in the suggested default configuration for the
Apache PHP.EXE binary on Microsoft Windows platforms. This issue has the
potential to disclose the contents of arbitrary files to remote attackers.

The ScriptAlias line of the following configuration in the httpd.conf
Apache configuration file is known to be the source of this issue:

ScriptAlias /php/ "c:/php/"=20
AddType application/x-httpd-php .php=20
Action application/x-httpd-php "/php/php.exe"

As a result, it is possible for an attacker to append a filepath to the
end of web request for php.exe. Files targetted in this manner will be
served to the attacker.

It is also possible to run executables in the PHP directory via successful
exploitation of this vulnerability.


A temporary workaround I though of off the cuff is modifying some of the
settings in the Apache configuration (httpd.conf, .htaccess, etc) files. 
This way, crackers would have to guess the vulnerable path.  Of course, this
isn't a real security measure, but it reduces the likelyhood of problems.

   Action application/x-httpd-php "/php/php.exe"
   ScriptAlias /php/ "f:/Program Files/php4/"

   Action application/x-httpd-php "/SomeOtherName/php.exe"
   ScriptAlias /SomeOtherName/ "f:/Program Files/php4/"

Another thing Win32/PHP/Apache users on NT and 2000 machines can do is run
the Apache service under a particular user id and tighten permissions granted
that user.

I guess mod_rewrite could be used to head off these calls to /php/php.exe. 
But I'm not familiar enough with mod_rewrite to do this.  If anyone is,
please be kind enough to post the _complete_ set of commands one would need
to handle this situation.



                PHP scripts that make your job easier
         SQL Solution  |  Layout Solution  |  Form Solution
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
 4015 7 Ave, Brooklyn NY 11232    v: 718-854-0335    f: 718-854-0409

PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to