Description

PHP, when not configured with the "display_errors = Off" setting in php.ini, allows remote attackers to obtain the physical path for an include file via a trailing slash in a request to a directly accessible PHP program, which modifies the base path, causes the include directive to fail, and produces an error message that contains the path.

Remediation

References

CVE-2002-0253

Related Vulnerabilities

Apache HTTP Server Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2007-6514)

ReviveAdserver Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2015-7372)

PHP Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2016-6296)

WordPress Plugin Registrations for the Events Calendar-Event Registration SQL Injection (2.7.5)

PHP Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2014-9427)

Severity

Medium

Classification

CVE-2002-0253

Tags

Missing Update Known Vulnerabilities