Reported December 6, 2000 by CHINANSL

VERSIONS AFFECTED
  • Apache Web Server 1.3

DESCRIPTION

A security issue has been identified on Windows NT and Windows 2000 servers running Apache Web servers and PHP3. A malicious user can use this vulnerability to access the contents of various files.

DEMONSTRATION

For example, if a malicious user wants to access the httpd.conf file, runs the following command from his Web browser:

http://www.vulnerablecom/index.php3.%5c../..%5cconf/httpd.conf.

VENDOR RESPONSE

The vendor has been contacted, but no response has been received.  

CREDIT
Discovered by
CHINANSL