From: bernardino_lopez at yahoo dot com Operating system: Linux PHP version: 4.3.11 PHP Bug Type: *General Issues Bug description: Files with the PHP Extension execute with "/" instead of "." running the Script
Description: ------------ Open Any PHP Page and replace the "." of the File Extension by "/" Example: http://www.abc.com/phpinfo.php Replace the URL Address for: http://www.abc.com/phpinfo/php The script is going to execute. Reproduce code: --------------- No code just replace your URL from the extension ".php" for "/php" Expected result: ---------------- Same page execution of the Original page. Not sure if possible to parse extra parameters to any exposed script to execute.... Actual result: -------------- Page execute regardles of the phpinfo.php phpinfo/php At this point looking for a major impact because in case of be able to pass arbitrary commands to the script to execute will create major security issue. Best Regards Dinooz. -- Edit bug report at http://bugs.php.net/?id=32934&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=32934&r=trysnapshot4 Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=32934&r=trysnapshot50 Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=32934&r=trysnapshot51 Fixed in CVS: http://bugs.php.net/fix.php?id=32934&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=32934&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=32934&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=32934&r=needscript Try newer version: http://bugs.php.net/fix.php?id=32934&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=32934&r=support Expected behavior: http://bugs.php.net/fix.php?id=32934&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=32934&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=32934&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=32934&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=32934&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=32934&r=dst IIS Stability: http://bugs.php.net/fix.php?id=32934&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=32934&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=32934&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=32934&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=32934&r=mysqlcfg