CVE-2002-0614 in PHP-Survey
Summary
by MITRE
PHP-Survey 20000615 and earlier stores the global.inc file under the web root, which allows remote attackers to obtain sensitive information, including database credentials, if .inc files are not preprocessed by the server.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/15/2025
The vulnerability identified as CVE-2002-0614 affects PHP-Survey versions 20000615 and earlier, presenting a critical information disclosure risk due to improper file placement within the web root directory structure. This flaw represents a fundamental security misconfiguration that exposes sensitive system components to unauthorized access, creating potential pathways for attackers to escalate their privileges and compromise the entire application infrastructure.
The technical flaw stems from the application's design decision to place the global.inc configuration file within the web-accessible directory tree, specifically under the web root. This configuration allows remote attackers to directly access the file through standard web requests, bypassing any intended access controls or server-side processing mechanisms. The global.inc file typically contains critical database connection parameters, authentication credentials, and other sensitive configuration data that should remain protected from public exposure.
From an operational impact perspective, this vulnerability enables attackers to obtain database credentials and other sensitive information without requiring any authentication or authorization. The exposure of database connection details can lead to direct database access, data exfiltration, and potential system compromise. The vulnerability is particularly dangerous because it operates at the configuration level rather than requiring exploitation of application logic flaws, making it accessible to attackers with minimal technical expertise.
The security implications extend beyond simple credential theft, as this vulnerability aligns with multiple ATT&CK techniques including credential access and reconnaissance. The flaw demonstrates poor security practices in file placement and access control implementation, representing a violation of the principle of least privilege and secure configuration management. Organizations using affected versions of PHP-Survey face significant risk of data breaches and system compromise.
Mitigation strategies should focus on immediate remediation through proper file placement outside the web root directory, implementation of proper access controls, and server-side configuration to prevent direct access to sensitive files. Additionally, organizations should conduct comprehensive security reviews of all applications to identify similar misconfigurations and implement automated scanning processes to detect and prevent such vulnerabilities. The vulnerability serves as a critical reminder of the importance of secure development practices and proper file access controls in web applications.