Apache Web Server and PHP3 Allows Remote File Reading


Reported December 6, 2000 by CHINANSL

VERSIONS AFFECTED
  • Apache Web Server 1.3

DESCRIPTION

A security issue has been identified on Windows NT and Windows 2000 servers running Apache Web servers and PHP3. A malicious user can use this vulnerability to access the contents of various files.

DEMONSTRATION

For example, if a malicious user wants to access the httpd.conf file, runs the following command from his Web browser:

http://www.vulnerablecom/index.php3.%5c../..%5cconf/httpd.conf.

VENDOR RESPONSE

The vendor has been contacted, but no response has been received.  

CREDIT
Discovered by
CHINANSL

 
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish