COMMAND

	php.exe allows access of all web server files

SYSTEMS AFFECTED

	All versions

PROBLEM

	Paul Brereton announced [http://www.fbb-security.com/] :
	

	As advised in the installation text that  comes  with  all  versions  of
	PHP, the text tells the user that when installing PHP.EXE for use  on  a
	windows machine installed with Apache, the  user  should  insert  a  few
	lines of code into the Apache \"httpd.conf\" .  These  exact  lines  are
	shown here :
	

	ScriptAlias /php/  \"c:/php/\"

	AddType application/x-httpd-php .php

	Action  application/x-httpd-php \"/php/php.exe\"

	

	The problem with this exploit is due to the  ScriptAlias  line  that  is
	recommended you add to your configuration. This  line  effectively  maps
	the  alias  /php/  to  your  web  document  root  such  that  typing  \"
	http://www.someserver.com/php/\" will actually try  to  access  in  this
	case \" c:\\php\\ \". Please note that the last \"/\" on the end of  the
	url has to exist for  this  to  work  (\"http://www.someserver.com/php\"
	will not work.) . At this point  your  server  will  tell  you  \"Access
	Denied\",    however    if    you    now    specify    the    url     \"
	http://www.someserver.com/php/php.exe\" , you will see  the  error  \"No
	input file specified\". This error  is  actually  returned  by  php.exe,
	which you have just executed on the server.
	

	There are many exploits that can  happen  with  this  setup  (Some  very
	serious,which could be used to gain root  access).
	

	Here are a few examples :
	

	 Exploit 1:

	 =========

	

	It is possible to read ANY file remotely on  the  server,  even  accross
	drives with the following url construct
	

	\" http://www.someserver.com/php/php.exe?c:\\winnt\\repair\\sam\"

	

	PHP.EXE will parse the sam file  \"c:\\winnt\\repair\\sam\"  and  return
	it to the browser for download.
	

	\" http://www.someserver.com/php/php.exe?d:\\winnt\\repair\\sam\"

	

	PHP.EXE will parse look for the same  file on the D: drive.
	

	The above sam  file  can  then  be  used  to  decrypt  all  the  Account
	Passwords for the Server.
	

	Editors          note          :          also          try           \"
	http://www.someserver.com/php/php.exe?c:\\boot.ini\"
	

	

	 Exploit 2:

	 =========

	

	If you specify a file that exists in the php directory (different  files
	exist depending on the version  of  PHP),  the  webserver  will  try  to
	execute this file and will throw back an  error  reporting  the  install
	directory of php.  So  in  PHP4  for  example,  you  would  specify  the
	following line :
	

	\" http://www.someserver.com/php/php4ts.dll\"

	

	the error returned by the webserver  would  be  :  \"  couldn\'t  create
	child process: 22693: C:/php/php4ts.dll \" showing the install  path  of
	PHP.

SOLUTION

	There is no solution at this time, however you can  make  the  directory
	(and the alias that points to it) more obscure by choosing  a  difficult
	name guess or brute force.