ID: 50837 Updated by: [email protected] Reported By: info at karlblessing dot com -Status: Open +Status: Bogus Bug Type: CGI related Operating System: Debian 5.0 x86_64 GNU/Linux PHP Version: 5.2.12 New Comment:
This is a web server problem or configuration issue. Not a PHP issue. Previous Comments: ------------------------------------------------------------------------ [2010-01-25 21:25:19] info at karlblessing dot com Description: ------------ Webserver Used : Nginx 0.8.32 PHP Build Used : PHP 5.2.12 with FPM patch PHP is configured to run as fastcgi Non-php files could be excuted as php, when appended with a path and erroneous php file. Affects setups running PHP via Fastcgi, primarily on non-Apache setups. Could potentially allow someone uploading exploits, such as a jpeg with php code in it to wordpress (which doesn't check if its an actual jpeg, or headers), and execute code from there. Reproduce code: --------------- Save <?php phpinfo(); ?> into a file called test.txt and access it via http://domain.com/test.txt/fake.php Expected result: ---------------- No input file specified. Actual result: -------------- Actual result shows the usual PHP Info printout, with the following variables. _SERVER["SCRIPT_NAME"] no value _SERVER["SCRIPT_FILENAME"] /opt/html/domain/test.txt _SERVER["REQUEST_URI"] /test.txt/1.php _SERVER["DOCUMENT_URI"] /test.txt/1.php _SERVER["DOCUMENT_ROOT"] /opt/html/domain _SERVER["PATH_INFO"] no value _SERVER["PATH_TRANSLATED"] /opt/html/domain _SERVER["ORIG_PATH_INFO"] no value _SERVER["ORIG_SCRIPT_NAME"] /test.txt/1.php _SERVER["ORIG_SCRIPT_FILENAME"] /opt/html/domain/test.txt/1.php _SERVER["ORIG_PATH_TRANSLATED"] /opt/html/domain ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=50837&edit=1
