Description
PHP, when installed on Windows with Apache and ScriptAlias for /php/ set to c:/php/, allows remote attackers to read arbitrary files and possibly execute arbitrary programs via an HTTP request for php.exe with a filename in the query string.
Exploits (1)
exploitdb
WRITEUP
VERIFIED
by Paul Brereton · textremotewindows
https://www.exploit-db.com/exploits/21204
References (3)
Core 3
Core References
Exploit x_refsource_misc
http://www.securiteam.com/windowsntfocus/5ZP030U60U.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/3786
Third Party Advisory vdb-entry
x_refsource_xf
http://www.iss.net/security_center/static/7815.php
Scores
EPSS
0.4812
EPSS Percentile
97.8%
Details
Status
published
Products (10)
apache/http_server
1.3.11
apache/http_server
1.3.12
apache/http_server
1.3.13
apache/http_server
1.3.14
apache/http_server
1.3.15
apache/http_server
1.3.16
apache/http_server
1.3.17
apache/http_server
1.3.18
apache/http_server
1.3.19
apache/http_server
1.3.20
Published
Dec 31, 2002
Tracked Since
Feb 18, 2026