COMMAND

    php (CGI)

SYSTEMS AFFECTED

    Systems running this CGI script.

PROBLEM

    A vulnerability has been found by DiS in PHP/FI, a NCSA httpd  cgi
    enhancment.  This vulnerability allows unauthorized users to  view
    arbitrary file contents  on the machine  running httpd by  sending
    the file name wishing to be displayed as the QUERY_STRING.

    For exploit simply use any web browser to send the following URL:

        http://boogered.system.com/cgi-bin/php.cgi?/file/to/view

    Note:  this  exploit  has  not  been  tested  on a system that has
    compiled PHP/FI as an apache  module. This information may or  may
    not be applicable on such a system.

    Remote, unauthorized users can view arbitrary file contents on the
    system with the same privileges  as the httpd (HTTP daemon)  child
    process.

SOLUTION

    The workaround is to set the following in php.h:

        #define PATTERN_RESTRICT ".*\\.phtml$"

    This will limit  the php.cgi parser  to only display  files ending
    in .phtml

    The  exact  same  adviasory  applies  to  any other parser someone
    might decide to stick in their  cgi-bin directory.  This is in  no
    way specific to PHP/FI.  You  can also avoid the problem by  using
    either CGI redirection or by using the Apache module version.

    The current PHP/FI distribution may be obtained from:

        http://www.vex.net/php