PHP mylog.html script allows remote file read
| http-cgi-php-mylog (1468) |  Medium Risk |
Description:
The 'mylog.html' sample script shipped with the PHP/FI package contains a vulnerability that allows remote attackers to view any file on the system. Attackers are limited to viewing files accessible to the user the httpd server is running under, generally "nobody." This vulnerability resides in the 'mlog.html' script shipped with PHP/FI.
Consequences:
File Manipulation
Remedy:
Remove any instance of mlog and mylog scripts from your server and obtain a patch from the PHP Web site.
References:
- BugTraq Mailing List, Sun, 19 Oct 1997 20:38:40 -0400: Vulnerability in PHP Example Logging Scripts.
- PHP Hypertext Preprocessor Web site: PHP Information.
- BID-713: PHP/FI mylog/mlog Vulnerability
- CVE-1999-0068: CGI PHP mylog script allows an attacker to read any file on the target server.
- OSVDB ID: 3396: PHP mylog.html Read Arbitrary File
Platforms Affected:
- PHP PHP
- Various vendors Any application
- Various vendors Common Gateway Interface (CGI)
Reported:
Oct 19, 1997
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net