Microsoft Internet Information Server (IIS) May Disclose PHP Scripting Source Code
SecurityTracker Alert ID: 1002651|
SecurityTracker URL: http://securitytracker.com/id/1002651
(Links to External Site)
Date: Oct 29 2001
Disclosure of system information, Disclosure of user information|
Exploit Included: Yes |
Version(s): IIS 4, PHP4|
A vulnerability has been reported in Microsoft Internet Information Server (IIS) when running PHP scripting and when configured on an NTFS-based file system. A remote user can obtain the source code of PHP pages.|
With a Microsoft Windows NT server running IIS and PHP scripting, a remote user can obtain the source code for PHP scripts using the following type of URL:
In July 1998, a similar problem was reported regarding the disclosure of ASP source code. For the original report, see:
Microsoft provided a fix for the original problem. For the Microsoft fix, see:
In Microsoft's knowledge base article, the flaw is blamed on the ability of IIS to access the NTFS data stream attribute directly.
It is reported that the vendor fix from 1998 does not prevent PHP source code from being viewed by remote users.
A remote user can obtain PHP script source code from the web server.|
No solution was available at the time of this entry.|
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
Input validation error|
|Underlying OS: Windows (NT)|
Source Message Contents
Subject: data stream bug still alive?|
Data Stream Bug may still work (on a unsual configuration)
+ Past Problem
The Windows NT file system, NTFS, support multiple data streams within a
file, been DATA the main content stream.
Was reported on July 8, 1998 by Paul Ashton on this mailing list the
posibility of get remotely by IIS the source code of files like an ASP
script. This was done by requesting the file and ::$DATA. Microsoft relase a
fix, and the problem was solve on the subsequent Service Packs for Windows
+ Present Problem
Yet, this problem -it seems to us- that on some unusual configuration as a
Windows NT box, with IIS and PHP scripting, persist. In our tests on two
separete Windows NT boxes, with IIS 4, PHP4, the fix available for the bug
and the latest SP6a, is still possible to obtain the source of PHP files.
Besides the obvious vulnerability, this show that the fix given by Microsoft
far from solving the real problem, it just did the the "workarounds" on the
registry on how to manage specific extensions (.asp, .pl, and so on)
Anyone how can confirm or refute this please post it.
+ More Informtion
":$DATA Stream Name of a File May Return Source"
"HOW TO: Use NTFS Alternate Data Streams"
Roberto Alamos M. (firstname.lastname@example.org)
Carlos Gaona U. (email@example.com)