Suggest A Fix PC Support Forums > MS Alert:MS IIs discloses PHP scripting code

Full Version: MS Alert:MS IIs discloses PHP scripting code

Suggest A Fix PC Support Forums > Security > Security News and Warnings

73-997563179

Oct 31 2001, 07:28 AM

IIS 4, PHP4

A vulnerability has been reported in Microsoft Internet Information Server (IIS) when running PHP scripting and when configured on an NTFS-based file system. A remote user can obtain the source code of PHP pages.

With a Microsoft Windows NT server running IIS and PHP scripting, a remote user can obtain the source code for PHP scripts using the following type of URL:

http://[targethost]/file.php::$DATA

In July 1998, a similar problem was reported regarding the disclosure of ASP source code. For the original report, see:

http://archives.neohapsis.com/archives/ntbugtraq/1998/msg00360.html

Microsoft provided a fix for the original problem. For the Microsoft fix, see:

http://support.microsoft.com/support/kb/articles/Q188/8/06.ASP

In Microsoft's knowledge base article, the flaw is blamed on the ability of IIS to access the NTFS data stream attribute directly.

It is reported that the vendor fix from 1998 does not prevent PHP source code from being viewed by remote users.

No solution was available from Microsoft at this time.
Source: NDR113

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.