CVE-2002-2029

Apache HTTP Server - Arbitrary File Read and Program Execution via PHP Query String

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2002-2029. PoCs published by Paul Brereton.

AI-analyzed exploit summary This is a writeup describing a path traversal vulnerability in Apache PHP.EXE on Windows, allowing arbitrary file disclosure or execution of binaries in the PHP directory via crafted URLs.

Description

PHP, when installed on Windows with Apache and ScriptAlias for /php/ set to c:/php/, allows remote attackers to read arbitrary files and possibly execute arbitrary programs via an HTTP request for php.exe with a filename in the query string.

Exploits (1)

exploitdb WRITEUP VERIFIED
by Paul Brereton · textremotewindows
https://www.exploit-db.com/exploits/21204

This is a writeup describing a path traversal vulnerability in Apache PHP.EXE on Windows, allowing arbitrary file disclosure or execution of binaries in the PHP directory via crafted URLs.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Apache PHP.EXE (default configuration on Windows)
No auth needed
Prerequisites: Apache with PHP.EXE in default configuration on Windows
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/3786
Third Party Advisory vdb-entry x_refsource_xf
http://www.iss.net/security_center/static/7815.php

Scores

EPSS 0.2460
EPSS Percentile 97.6%

Details

Status published
Products (10)
apache/http_server 1.3.11
apache/http_server 1.3.12
apache/http_server 1.3.13
apache/http_server 1.3.14
apache/http_server 1.3.15
apache/http_server 1.3.16
apache/http_server 1.3.17
apache/http_server 1.3.18
apache/http_server 1.3.19
apache/http_server 1.3.20
Published Dec 31, 2002
Tracked Since Feb 18, 2026