ID: 50837 User updated by: info at karlblessing dot com Reported By: info at karlblessing dot com Status: Bogus Bug Type: CGI related Operating System: Debian 5.0 x86_64 GNU/Linux PHP Version: 5.2.12 New Comment:
As evidently shown, PHP accepted the original request uri of /test.txt/fake,php, and evidently shown in the php_info , it took that and changed the script_file name to test.txt, It should have tried to execute fake.php and returned no file could be found. If the webserver had instead sent test.txt as the script_filename, and /fake.php as the path_info, then I could understand it happening, but it did not. Previous Comments: ------------------------------------------------------------------------ [2010-01-25 21:29:26] [email protected] This is a web server problem or configuration issue. Not a PHP issue. ------------------------------------------------------------------------ [2010-01-25 21:25:19] info at karlblessing dot com Description: ------------ Webserver Used : Nginx 0.8.32 PHP Build Used : PHP 5.2.12 with FPM patch PHP is configured to run as fastcgi Non-php files could be excuted as php, when appended with a path and erroneous php file. Affects setups running PHP via Fastcgi, primarily on non-Apache setups. Could potentially allow someone uploading exploits, such as a jpeg with php code in it to wordpress (which doesn't check if its an actual jpeg, or headers), and execute code from there. Reproduce code: --------------- Save <?php phpinfo(); ?> into a file called test.txt and access it via http://domain.com/test.txt/fake.php Expected result: ---------------- No input file specified. Actual result: -------------- Actual result shows the usual PHP Info printout, with the following variables. _SERVER["SCRIPT_NAME"] no value _SERVER["SCRIPT_FILENAME"] /opt/html/domain/test.txt _SERVER["REQUEST_URI"] /test.txt/1.php _SERVER["DOCUMENT_URI"] /test.txt/1.php _SERVER["DOCUMENT_ROOT"] /opt/html/domain _SERVER["PATH_INFO"] no value _SERVER["PATH_TRANSLATED"] /opt/html/domain _SERVER["ORIG_PATH_INFO"] no value _SERVER["ORIG_SCRIPT_NAME"] /test.txt/1.php _SERVER["ORIG_SCRIPT_FILENAME"] /opt/html/domain/test.txt/1.php _SERVER["ORIG_PATH_TRANSLATED"] /opt/html/domain ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=50837&edit=1
