| VID |
22022 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Apache web server contains many security risks by using /php/php.exe. This problems could allow remote attackers to read arbitrary files on the server, even to gain root access.
As advised in the installation text that comes with all versions of PHP, when installing PHP.EXE for use on a windows machine installed with Apache, the user should insert a few lines of code into the Apache "httpd.conf". These exact lines are shown here:
ScriptAlias /php/ "c:/php/"
AddType application/x-httpd-php .php
Action application/x-httpd-php "/php/php.exe"
A security vulnerability arises when placing the ScriptAlias line above. If you now specify the URL "http://www.example.com/php/php.exe", you will see the error "No input file specified". This error is actually returned by php.exe, which you have just executed on the server.
This vulnerability would allow remote attackers to view files that reside outside the normal HTML root directory, or to execute arbitrary code by inserting into the Apache log file a malicious PHP based command.
For example, In the browser, you type the following:
"http://www.example.com/php/php.exe?c:\winnt\repair\sam"
PHP.EXE will parse the sam file "c:\winnt\repair\sam" and return it to the browser for download (this is the Windows NT password file). |
| Recommendation |
Upgrade to at least Apache version 2.x or the latest version at http://httpd.apache.org/download.cgi |
| Related URL |
CVE-2002-2029 (CVE) |
| Related URL |
3786 (SecurityFocus) |
| Related URL |
7815 (ISS) |
|
