> On Apr 4, 2014, at 2:15, Dzkabyle abdou <[email protected]> wrotehello php.net > team > > i am dzkabyle an i m bug funder > recently a have fond vulnerability on your web site and i decide to report > them more information here > file : cached.php > php.net/cached.php > bug is remote file disclosure by manipuling the URL You can disclose all file > in server just like that > > http://www.php.net/cached.php?t=1396464012&f=/cached.php > > now you can show source code of cached.php file > > Email : [email protected]
Unless you can show files outside of the docroot, this is not a bug. All the source code for the site is public and anyone can view it on git.php.net. We used to also have a "show source" right on the site. cached.php has code in place to prevent it from accessing anything outside the docroot. -Rasmus
