PHP default installation generates system vulnerabilities _php basics

This vulnerability was published in Packetstorm, and I turned it into Chinese, plus some of my own annotations, hoping to execute on NT
PHP friends have some help.

When you download PHP, it helps to install PHP on NT + Apache Web Server in the installation files it contains
, the installation help will allow you to add the following lines to the Apache httpd.conf settings file, which
The piece will guide you to open your system door wide.

These lines of command are:

scriptalias/php/"c:/php/"
AddType application/x-httpd-php. php
Action application/x-httpd-php "/php/php.exe"

We further explain these three line settings, which require Apache to map/php/This virtual directory directly to c:/php/
directory, so when you use:

"Http://www.example.com/php/"

When you link to a Web page, the Web Server is actually accessed directly to the c:/php/directory, where you will see "Access Denied"
Error message, but when you switch to:

"Http://www.example.com/php/php.exe"

command to connect, you will find that the server echoes "No input file specified." This line of words is made by Php.exe
The loopback, which indicates that you have just executed the PHP execution file on this server.

If your server is set up using the installation methods that are taught in PHP, you may have the following crisis.

[* * Vulnerability 1 * *]

We can use this vulnerability to read any of the files on this server, or even read across disks, as long as you connect using the following ways:

"Http://www.example.com/php/php.exe?c:\winnt\repair\sam"

PHP throws the file "C:\winnt\repair\sam" to the browser and displays it, which is the same file as Windows NT
Where the password is saved,

"Http://www.example.com/php/php.exe?d:\winnt\repair\sam"

PHP will send the same file on the D: disk.
With this SAM file, hackers can use to decipher the password you set on this machine.

[* * Vulnerability 2 * *]

If you specify a file in the PHP directory, your WEB server will try to execute the file and pass the error message, so when you
Use of:

"Http://www.example.com/php/php4ts.dll"

This error causes the Web Server to return "couldn<|>t Create Child Process:22693:c:/php/php4ts.dll"
This information, thus omitting the real directory where you install PHP

PS. After my test, the second vulnerability will return the "Internal Server error" error when it executes on the PHP V4.11.
The directory structure is not leaking back, but in PHP V4.11 the first vulnerability is still valid.

Easy workaround: Use a long, difficult to determine virtual directory to place PHP execution files, such as:

scriptalias/php-my-script/"c:/php411/"
AddType application/x-httpd-php. php
Action application/x-httpd-php "/php-my-script/php.exe"

This will make it difficult for intruders to learn about PHP's hosting directory and reduce the chance of intrusion.
Remember to restart the Apache Service after changing the httpd.conf:

NET STOP APACHE
NET START APACHE

[end]