CVE-2002-0253 - Vulnerability Details - OpenCVE

PHP, when not configured with the "display_errors = Off" setting in php.ini, allows remote attackers to obtain the physical path for an include file via a trailing slash in a request to a directly accessible PHP program, which modifies the base path, causes the include directive to fail, and produces an error message that contains the path.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00915.

Key SSVC decision points have not yet been added.

Vendors	Products
Php Subscribe	Php Subscribe

Configuration 1 [-]

OR	cpe:2.3:a:php:php:4.0:::::::*
	cpe:2.3:a:php:php:4.0.1:::::::*
	cpe:2.3:a:php:php:4.0.1:patch2::::::
	cpe:2.3:a:php:php:4.0.3:::::::*
	cpe:2.3:a:php:php:4.0.4:::::::*
	cpe:2.3:a:php:php:4.0.5:::::::*
	cpe:2.3:a:php:php:4.0.6:::::::*
	cpe:2.3:a:php:php:4.1.0:::::::*
	cpe:2.3:a:php:php:4.1.2:::::::*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2002-0250	PHP, when not configured with the "display_errors = Off" setting in php.ini, allows remote attackers to obtain the physical path for an include file via a trailing slash in a request to a directly accessible PHP program, which modifies the base path, causes the include directive to fail, and produces an error message that contains the path.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://marc.info/?l=bugtraq&m=101318944130790&w=2
http://www.iss.net/security_center/static/8122.php
http://www.securityfocus.com/bid/4063

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2002-05-03T04:00:00

Updated: 2024-08-08T02:42:28.568Z

Reserved: 2002-05-01T00:00:00

Link: CVE-2002-0253

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2002-05-29T04:00:00.000

Modified: 2025-04-03T01:03:51.193

Link: CVE-2002-0253

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

NVD-CWE-Other

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2002-02-07T00:00:00", "descriptions": [{"lang": "en", "value": "PHP, when not configured with the \"display_errors = Off\" setting in php.ini, allows remote attackers to obtain the physical path for an include file via a trailing slash in a request to a directly accessible PHP program, which modifies the base path, causes the include directive to fail, and produces an error message that contains the path."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-10-17T13:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "20020207 Advisory #3 - PHP & JSP", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://marc.info/?l=bugtraq&m=101318944130790&w=2"}, {"name": "php-slash-path-information(8122)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "http://www.iss.net/security_center/static/8122.php"}, {"name": "4063", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/4063"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2002-0253", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "PHP, when not configured with the \"display_errors = Off\" setting in php.ini, allows remote attackers to obtain the physical path for an include file via a trailing slash in a request to a directly accessible PHP program, which modifies the base path, causes the include directive to fail, and produces an error message that contains the path."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20020207 Advisory #3 - PHP & JSP", "refsource": "BUGTRAQ", "url": "http://marc.info/?l=bugtraq&m=101318944130790&w=2"}, {"name": "php-slash-path-information(8122)", "refsource": "XF", "url": "http://www.iss.net/security_center/static/8122.php"}, {"name": "4063", "refsource": "BID", "url": "http://www.securityfocus.com/bid/4063"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-08T02:42:28.568Z"}, "title": "CVE Program Container", "references": [{"name": "20020207 Advisory #3 - PHP & JSP", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://marc.info/?l=bugtraq&m=101318944130790&w=2"}, {"name": "php-slash-path-information(8122)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "http://www.iss.net/security_center/static/8122.php"}, {"name": "4063", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/4063"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2002-0253", "datePublished": "2002-05-03T04:00:00", "dateReserved": "2002-05-01T00:00:00", "dateUpdated": "2024-08-08T02:42:28.568Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:php:php:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "EDBEC461-D553-41B7-8D85-20B6A933C21C", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:4.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "78BAA18C-E5A0-4210-B64B-709BBFF31EEC", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:4.0.1:patch2:*:*:*:*:*:*", "matchCriteriaId": "37896E87-95C2-4039-8362-BC03B1C56706", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:4.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "57B59616-A309-40B4-94B1-50A7BC00E35C", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:4.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "0F39A1B1-416E-4436-8007-733B66904A14", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:4.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "DD5FC218-3DDB-4981-81C9-6C69F8DA6F4D", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:4.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "FC2E5F96-66D2-4F99-A74D-6A2305EE218E", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:4.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "6713614A-B14E-4A85-BF89-ED780068FC68", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:4.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "069EB7EE-06B9-454F-9007-8DE5DCA33C53", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PHP, when not configured with the \"display_errors = Off\" setting in php.ini, allows remote attackers to obtain the physical path for an include file via a trailing slash in a request to a directly accessible PHP program, which modifies the base path, causes the include directive to fail, and produces an error message that contains the path."}, {"lang": "es", "value": "PHP, cuando no est\u00e1 configurado con la opci\u00f3n \"\"display_errors = Off\"\" en el fichero php.ini, permite que atacantes remotos obtengan el path absoluto para un fichero include por medio de un caracter / en una petici\u00f3n a un programa PHP directamente accesible, lo cual modifica el path de base, obliga a que la directiva include falle, y produce un mensaje de error que contiene el path."}], "id": "CVE-2002-0253", "lastModified": "2025-04-03T01:03:51.193", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2002-05-29T04:00:00.000", "references": [{"source": "cve@mitre.org", "url": "http://marc.info/?l=bugtraq&m=101318944130790&w=2"}, {"source": "cve@mitre.org", "url": "http://www.iss.net/security_center/static/8122.php"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/4063"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://marc.info/?l=bugtraq&m=101318944130790&w=2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.iss.net/security_center/static/8122.php"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/4063"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}