ID: 50837 User updated by: info at karlblessing dot com Reported By: info at karlblessing dot com Status: Bogus Bug Type: CGI related Operating System: Debian 5.0 x86_64 GNU/Linux PHP Version: 5.2.12 New Comment:
1.php was from a previous test when I typed /1.php after test.txt, if you type /fake.php after test.txt it'll show fake.txt, just like how I don't own domain.com, you apparently can't go back and edit the original. Previous Comments: ------------------------------------------------------------------------ [2010-01-25 22:30:10] [email protected] Well, first, there is no fake.php in your output there. So I don't know about your "evidently" since your evidence doesn't match at all. And second, PHP doesn't set SCRIPT_FILENAME, your web server does. So your web server determined that the script to execute was "/opt/html/domain/test.txt" evidently as per your own evidence. So PHP executed that script. I am not sure why that is surprising to you. Why is your web server telling PHP to run test.txt? PHP doesn't check the filetype. It runs what it is told to run. ------------------------------------------------------------------------ [2010-01-25 22:17:34] info at karlblessing dot com As evidently shown, PHP accepted the original request uri of /test.txt/fake,php, and evidently shown in the php_info , it took that and changed the script_file name to test.txt, It should have tried to execute fake.php and returned no file could be found. If the webserver had instead sent test.txt as the script_filename, and /fake.php as the path_info, then I could understand it happening, but it did not. ------------------------------------------------------------------------ [2010-01-25 21:29:26] [email protected] This is a web server problem or configuration issue. Not a PHP issue. ------------------------------------------------------------------------ [2010-01-25 21:25:19] info at karlblessing dot com Description: ------------ Webserver Used : Nginx 0.8.32 PHP Build Used : PHP 5.2.12 with FPM patch PHP is configured to run as fastcgi Non-php files could be excuted as php, when appended with a path and erroneous php file. Affects setups running PHP via Fastcgi, primarily on non-Apache setups. Could potentially allow someone uploading exploits, such as a jpeg with php code in it to wordpress (which doesn't check if its an actual jpeg, or headers), and execute code from there. Reproduce code: --------------- Save <?php phpinfo(); ?> into a file called test.txt and access it via http://domain.com/test.txt/fake.php Expected result: ---------------- No input file specified. Actual result: -------------- Actual result shows the usual PHP Info printout, with the following variables. _SERVER["SCRIPT_NAME"] no value _SERVER["SCRIPT_FILENAME"] /opt/html/domain/test.txt _SERVER["REQUEST_URI"] /test.txt/1.php _SERVER["DOCUMENT_URI"] /test.txt/1.php _SERVER["DOCUMENT_ROOT"] /opt/html/domain _SERVER["PATH_INFO"] no value _SERVER["PATH_TRANSLATED"] /opt/html/domain _SERVER["ORIG_PATH_INFO"] no value _SERVER["ORIG_SCRIPT_NAME"] /test.txt/1.php _SERVER["ORIG_SCRIPT_FILENAME"] /opt/html/domain/test.txt/1.php _SERVER["ORIG_PATH_TRANSLATED"] /opt/html/domain ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=50837&edit=1
