as a note about this, we (i) did extensive testing to invoke the php.exe
binary and apache in any way but using an action and virtual url, and found
it didn't work.

We have suitably amended the documentation for both the win32 installer,
plus the manual, making it clearer that choosing those paths are bad.

Please CC me when replying to my messages on lists.
Was I helpful?

> -----Original Message-----
> From: Analysis and Solutions [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, January 29, 2002 1:02 AM
> To: PHP List
> Subject: [PHP] Apache PHP File Disclosure Vuln
> Hi Folks:
> I haven't been reading the list lately.  I went to the mailing
> list archives
> on Google and MARC to see what's been said about the "Apache Win32 PHP.EXE
> Remote File Disclosure Vulnerability."  I was surprised to find
> only one post
> to the php-dev list:
> > As I responded on Bugtraq, this is, if anything, an Apache bug,
> not a PHP
> > bug.  It could be a configuration bug too, but the bottom line is the
> > Apache doesn't determine that the file is a PHP file when
> requested in that
> > way, and doesn't even invoke PHP on it.
> >
> > Zeev
> 32247.06833468%40localhost&rnum=10&prev=/groups%3Fhl%3Den%26q%3DAp
> ache%2BPHP%2Bfile%2BDisclosure%2Bvulnerability%26btnG%3DGoogle%2BSearch
> I was surprised that nothing is mentioned about it on the PHP web site.  I
> did a search on the whole site for "apache File Disclosure" and
> got no hits.
> Similarly, looking in the Apache Bug Report Database brought up nothing.
> Weird.
> So, I wanted to give the php-general list a heads up on this
> matter.  As Zeev
> points out, it's an Apache problem, but it's something we, as PHP
> users, will
> run into...
> vvvvvvvvvvvvvvvv   clip from Security Focus  vvvvvvvvvvvvvvvvvvvv
> SecurityFocus Newsletter #127.  Tue, 15 Jan 2002.
> 1. Apache Win32 PHP.EXE Remote File Disclosure Vulnerability
> BugTraq ID: 3786
> Remote: Yes
> Date Published: Jan 04 2002 12:00A
> Relevant URL:
> Summary:
> A vulnerability exists in the suggested default configuration for the
> Apache PHP.EXE binary on Microsoft Windows platforms. This issue has the
> potential to disclose the contents of arbitrary files to remote attackers.
> The ScriptAlias line of the following configuration in the httpd.conf
> Apache configuration file is known to be the source of this issue:
> ScriptAlias /php/ "c:/php/"=20
> AddType application/x-httpd-php .php=20
> Action application/x-httpd-php "/php/php.exe"
> As a result, it is possible for an attacker to append a filepath to the
> end of web request for php.exe. Files targetted in this manner will be
> served to the attacker.
> It is also possible to run executables in the PHP directory via successful
> exploitation of this vulnerability.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> A temporary workaround I though of off the cuff is modifying some of the
> settings in the Apache configuration (httpd.conf, .htaccess, etc) files.
> This way, crackers would have to guess the vulnerable path.  Of
> course, this
> isn't a real security measure, but it reduces the likelyhood of problems.
>    Action application/x-httpd-php "/php/php.exe"
>    ScriptAlias /php/ "f:/Program Files/php4/"
>    Action application/x-httpd-php "/SomeOtherName/php.exe"
>    ScriptAlias /SomeOtherName/ "f:/Program Files/php4/"
> Another thing Win32/PHP/Apache users on NT and 2000 machines can do is run
> the Apache service under a particular user id and tighten
> permissions granted
> that user.
> I guess mod_rewrite could be used to head off these calls to
> /php/php.exe.
> But I'm not familiar enough with mod_rewrite to do this.  If anyone is,
> please be kind enough to post the _complete_ set of commands one
> would need
> to handle this situation.
> Enjoy,
> --Dan
> --
>                 PHP scripts that make your job easier
>          SQL Solution  |  Layout Solution  |  Form Solution
>  T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
>  4015 7 Ave, Brooklyn NY 11232    v: 718-854-0335    f: 718-854-0409
> --
> PHP General Mailing List (
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]

PHP General Mailing List (
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to