Vulnerabilities > CVE-2002-0253 - Information Disclosure vulnerability in PHP Include File Relative Directory

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

php

NVD

Published: 2002-05-29

Updated: 2016-10-18

Summary

PHP, when not configured with the "display_errors = Off" setting in php.ini, allows remote attackers to obtain the physical path for an include file via a trailing slash in a request to a directly accessible PHP program, which modifies the base path, causes the include directive to fail, and produces an error message that contains the path.

Vulnerable Configurations

Part	Description	Count
Application	Php PHP PHP 4.0 PHP PHP 4.0.1 PHP PHP 4.0.3 PHP PHP 4.0.4 PHP PHP 4.0.5 PHP PHP 4.0.6 PHP PHP 4.1.0 PHP PHP 4.1.2	9

References

http://marc.info/?l=bugtraq&m=101318944130790&w=2
http://www.iss.net/security_center/static/8122.php
http://www.securityfocus.com/bid/4063