From: info at karlblessing dot com Operating system: Debian 5.0 x86_64 GNU/Linux PHP version: 5.2.12 PHP Bug Type: CGI related Bug description: Allowing execution of non-.php file from erroneous path
Description: ------------ Webserver Used : Nginx 0.8.32 PHP Build Used : PHP 5.2.12 with FPM patch PHP is configured to run as fastcgi Non-php files could be excuted as php, when appended with a path and erroneous php file. Affects setups running PHP via Fastcgi, primarily on non-Apache setups. Could potentially allow someone uploading exploits, such as a jpeg with php code in it to wordpress (which doesn't check if its an actual jpeg, or headers), and execute code from there. Reproduce code: --------------- Save <?php phpinfo(); ?> into a file called test.txt and access it via http://domain.com/test.txt/fake.php Expected result: ---------------- No input file specified. Actual result: -------------- Actual result shows the usual PHP Info printout, with the following variables. _SERVER["SCRIPT_NAME"] no value _SERVER["SCRIPT_FILENAME"] /opt/html/domain/test.txt _SERVER["REQUEST_URI"] /test.txt/1.php _SERVER["DOCUMENT_URI"] /test.txt/1.php _SERVER["DOCUMENT_ROOT"] /opt/html/domain _SERVER["PATH_INFO"] no value _SERVER["PATH_TRANSLATED"] /opt/html/domain _SERVER["ORIG_PATH_INFO"] no value _SERVER["ORIG_SCRIPT_NAME"] /test.txt/1.php _SERVER["ORIG_SCRIPT_FILENAME"] /opt/html/domain/test.txt/1.php _SERVER["ORIG_PATH_TRANSLATED"] /opt/html/domain -- Edit bug report at http://bugs.php.net/?id=50837&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=50837&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=50837&r=trysnapshot53 Try a snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=50837&r=trysnapshot60 Fixed in SVN: http://bugs.php.net/fix.php?id=50837&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=50837&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=50837&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=50837&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=50837&r=needscript Try newer version: http://bugs.php.net/fix.php?id=50837&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=50837&r=support Expected behavior: http://bugs.php.net/fix.php?id=50837&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=50837&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=50837&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=50837&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=50837&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=50837&r=dst IIS Stability: http://bugs.php.net/fix.php?id=50837&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=50837&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=50837&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=50837&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=50837&r=mysqlcfg
