[23511] in bugtraq
Win ME, Apache/1.3.20 and PHP/4.0.4pl1 Source disclosure
daemon@ATHENA.MIT.EDU (Bill Q)
Sat Dec 15 15:03:54 2001
Date: 15 Dec 2001 01:26:49 -0000
Message-ID: <20011215012649.17676.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Bill Q <defacementmonitor@hotmail.com>
To: bugtraq@securityfocus.com
It appears as if PHP/4.0.4 installed on Win ME
running Apache/1.3.20 will disclose php source if the
url is entered with pounds surrounding the dot.
http://server.com/phpfile#.#php
I have tested this on:
Apache/1.3.22 (Win32) PHP/4.0.6 (Win2K pro)
And it is not vulnerable. This may be a Win ME thing..
I would be curious if Apache/1.3.22 on Win ME is
vulnerable
Now WHY someone would have a webserver on
ME....is another question....
