CVE-2002-2029 in HTTP Server
Summary
by MITRE
PHP, when installed on Windows with Apache and ScriptAlias for /php/ set to c:/php/, allows remote attackers to read arbitrary files and possibly execute arbitrary programs via an HTTP request for php.exe with a filename in the query string.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/26/2025
This vulnerability exists in PHP installations running on Windows systems with Apache web server configuration where the ScriptAlias directive maps /php/ to the local path c:/php/. The flaw arises from improper input validation when processing HTTP requests containing filenames in the query string parameter of php.exe. Attackers can exploit this by crafting malicious HTTP requests that include file paths as query parameters, allowing them to bypass normal file access controls and potentially execute arbitrary code on the target system. The vulnerability stems from the way PHP handles command-line arguments when invoked through the web server interface, creating a path traversal condition that can be manipulated by remote unauthenticated users. This represents a critical security flaw that directly violates the principle of least privilege and allows for arbitrary file access and code execution.
The technical implementation of this vulnerability leverages the Windows file system structure and PHP's handling of command-line parameters. When the ScriptAlias directive maps the URL path /php/ to the physical directory c:/php/, any request containing php.exe with a filename parameter in the query string can be manipulated to access arbitrary files on the system. The vulnerability specifically affects the way PHP processes the REQUEST_URI and query string parameters, allowing attackers to specify file paths that are not properly sanitized or validated before being passed to the operating system. This creates a path traversal condition where attackers can navigate beyond the intended directory boundaries and access sensitive system files, configuration data, or even execute system commands through the web server interface. The flaw is categorized under CWE-22 Path Traversal and aligns with ATT&CK technique T1059 Command and Scripting Interpreter.
The operational impact of this vulnerability is severe and can result in complete system compromise. Remote attackers can use this vulnerability to read sensitive files such as configuration files, database credentials, user information, or system files that should not be accessible through the web interface. The ability to execute arbitrary programs means that attackers can establish persistent access, install backdoors, or perform further reconnaissance within the compromised network. This vulnerability is particularly dangerous in shared hosting environments or enterprise web servers where multiple applications may be running on the same system. The exploitation can lead to data breaches, system infiltration, and potential lateral movement within the network infrastructure. Organizations may face regulatory compliance violations, financial losses, and reputational damage when such vulnerabilities are exploited. The vulnerability also demonstrates weaknesses in web server security configuration and highlights the importance of proper input validation and access control mechanisms.
Mitigation strategies for this vulnerability include immediate patching of affected PHP installations, proper configuration of Apache web server to avoid insecure ScriptAlias directives, and implementation of input validation controls. Organizations should remove or secure any ScriptAlias configurations that map web paths to local file system locations without proper access controls. The recommended approach involves upgrading to patched versions of PHP that properly sanitize input parameters and validate file access requests. Network segmentation and firewall rules can help limit access to PHP executable files, while web application firewalls can provide additional protection against malicious query string parameters. Security monitoring should be implemented to detect unusual patterns in web access logs that may indicate exploitation attempts. Regular security assessments and vulnerability scanning should be conducted to identify similar misconfigurations in web server environments. The fix typically involves modifying the Apache configuration to properly restrict access to PHP executables and ensuring that all file access operations are properly validated against a whitelist of allowed paths and operations.