ID: 10442 Updated by: jmoore Reported By: [EMAIL PROTECTED] Old-Status: Open Status: Closed Bug Type: Apache related PHP Version: 4.0.4pl1 Assigned To: Comments: This is well covered in the manual under security issues you should compile with the appropriate options. - James Previous Comments: --------------------------------------------------------------------------- [2001-04-22 11:23:10] [EMAIL PROTECTED] I'm using Apache 1.3.19 on Windows 2000, with PHP 4.0.4pl1 running as a CGI executable. Occasionaly whilst testing on localhost, Apache will set the current address as, for example: http://127.0.0.1/php/php.exe?/path/to/index.php This can be modified, to read ANY file from the server. http://127.0.0.1/php/php.exe?c:windowswin.ini would, for example, print out in plaintext the contents of that file on a Win9x system. IMO, this represents an enormous potential security problem, although is it dependant on the attacker knowing the path to the php.exe executable, and the filename he wishes to retrive. This works on my Windows 2000 and Windows 98SE machines, both of which have PHP running as an executable. The initial setup instructions come from http://www.phpbuilder.com/, which set PHP to be installed as c:phpphp.exe by default. Jakub Burgis [EMAIL PROTECTED] --------------------------------------------------------------------------- ATTENTION! Do NOT reply to this email! To reply, use the web interface found at http://bugs.php.net/?id=10442&edit=2 -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]