Debian Bug report logs - #200543
[ Unauthorized reading files on phpSysInfo]

version graph

Package: phpsysinfo; Maintainer for phpsysinfo is Bjoern Boschman <>; Source for phpsysinfo is src:phpsysinfo.

Reported by: Matt Zimmerman <>

Date: Wed, 9 Jul 2003 01:03:01 UTC

Severity: grave

Tags: security

Fixed in version phpsysinfo/2.1-1

Done: Frederik Schueler <>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to, Hereward Cooper (Hereward Matthew Lawrence Cooper) <>:
Bug#200543; Package phpsysinfo. Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <>:
New Bug report received and forwarded. Copy sent to Hereward Cooper (Hereward Matthew Lawrence Cooper) <>. Full text and rfc822 format available.

Message #5 received at (full text, mbox):

From: Matt Zimmerman <>
Subject: [ Unauthorized reading files on phpSysInfo]
Date: Tue, 8 Jul 2003 20:48:53 -0400
Package: phpsysinfo
Severity: grave
Tags: security

----- Forwarded message from Albert Puigsech Galicia <> -----

Date: Fri, 25 Apr 2003 08:22:23 +0100
From: Albert Puigsech Galicia <>
Subject: Unauthorized reading files on phpSysInfo

|                             7 A 6 9 - A d v                          C: 007
|              [ Unauthorized reading files on phpSysInfo ]
                                                                | 01/04/2003 |


        + Type:         To gain visiblity.

        + Software:     phpSysInfo.

        + Verions:      until 2.1 (current version).

        + Exploit:      Yes (but only local).

        + Autor:        Albert Puigsech Galicia

        + Contact:


        PhpSysInfo is a litle PHP script destined to show system information.
It shows data like CPU or memory usage, Disk usage, PCI, ethernet, and IDE
information, etc. Visit project website on
for more info.


        PhpSysInfo uses a template system using 'template' variable, and a
languaje system using 'lng' variable. These variables are used to complete
a file path without check if it contains the '..' especial directory, allowing
to read any file on system as webserver user.


        The exploit of this vulnerability require write access on a local
directory where webserver can read files.

        On template case, phpSysInfo cheks only if template exists. To do
it only check if 'templates/$template' exists.

---/ index.php /---

if (!((isset($template) && file_exists("templates/$template")) || $template ==
'xml')) {
    // default template we should use if we don't get a argument.
    $template = 'classic';

---/ index.php /---

        Exactly the same on languaje selection system.

---/ index.php /---

if (!(isset($lng) && file_exists('./includes/lang/' . $lng . '.php'))) {
    $lng = 'en';
    // see if the browser knows the right languange.
    if(isset($HTTP_ACCEPT_LANGUAGE)) {
        $plng = split(',', $HTTP_ACCEPT_LANGUAGE);
        if(count($plng) > 0) {
            while(list($k,$v) = each($plng)) {
                $k = split(';', $v, 1);
                $k = split('-', $k[0]);
                if(file_exists('./includes/lang/' . $k[0] . '.php')) {
                    $lng = $k[0];

---/ index.php /---

        'template, variable will be used to use the file
'./templates/$template/form.tpl' and './templates/$template/box.tpl'
for template stuff, so is necesary ti create the symlinks to read
any file allowed to webserver.

        local ~$ ln -s /etc/passwd /tmp/form.tpl
        local ~$ ln -s /etc/passwd /tmp/box.tpl


        'lng' variable is used on this peace of code:

---/ index.php /---

require('./includes/lang/' . $lng . '.php');   // get our language include

---/ index.php /---

        It allow us, as the same way as 'template' to read a file on
the system.

        local ~$ ln -s /etc/passwd /tmp/p.php


        But it also allow to execute arbitrary PHP code, creating the php
file firts.

        local ~$ echo "<?php phpinfo() ?>" > /tmp/p.php


        The use of '.' php function to concat strings remote exploit for
this vulnerable php script, because we cant use %00 to end the string.


        There is not an oficial patch, but is easy to code it adding some
regex on the code to filter '..' content on 'template' and 'lng' variables.

> Albert Puigsech Galicia (7a69)

----- End forwarded message -----

 - mdz

Information forwarded to, Hereward Cooper (Hereward Matthew Lawrence Cooper) <>:
Bug#200543; Package phpsysinfo. Full text and rfc822 format available.

Acknowledgement sent to Martin Michlmayr <>:
Extra info received and forwarded to list. Copy sent to Hereward Cooper (Hereward Matthew Lawrence Cooper) <>. Full text and rfc822 format available.

Message #10 received at (full text, mbox):

From: Martin Michlmayr <>
Subject: Fixed in stable, not in testing/unstable
Date: Sun, 12 Oct 2003 23:48:06 +1000
This has been fixed in stable due to DSA-346-1
(, but testing/unstable
are still vulnerable.

Martin Michlmayr

Reply sent to Frederik Schueler <>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Matt Zimmerman <>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at (full text, mbox):

From: Frederik Schueler <>
Subject: Bug#200543: fixed in phpsysinfo 2.1-1
Date: Mon, 13 Oct 2003 07:47:34 -0400
Source: phpsysinfo
Source-Version: 2.1-1

We believe that the bug you reported is fixed in the latest version of
phpsysinfo, which is due to be installed in the Debian FTP archive:

  to pool/main/p/phpsysinfo/phpsysinfo_2.1-1.diff.gz
  to pool/main/p/phpsysinfo/phpsysinfo_2.1-1.dsc
  to pool/main/p/phpsysinfo/phpsysinfo_2.1-1_all.deb
  to pool/main/p/phpsysinfo/phpsysinfo_2.1.orig.tar.gz

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Frederik Schueler <> (supplier of updated phpsysinfo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA1

Format: 1.7
Date: Sat, 27 Sep 2003 21:30:33 +0200
Source: phpsysinfo
Binary: phpsysinfo
Architecture: source all
Version: 2.1-1
Distribution: unstable
Urgency: low
Maintainer: Frederik Schueler <>
Changed-By: Frederik Schueler <>
 phpsysinfo - PHP Based Host Information
Closes: 134896 163788 200543 211701
 phpsysinfo (2.1-1) unstable; urgency=low
   * News maintainer, closes:  #211701
   * New upstream release
   * fixed template/lng parsing, closes: #200543
   * added alternative php4-cgi and php3-cgi ependency, closes: #163788
   * fixed package description, closes: #134896
   * bumped standards to 3.6.1
   * added patch for Linux 2.5/2.6 /proc/meninfo handling
 a8039368ee52fd8912a0a35a316d1ac9 577 web optional phpsysinfo_2.1-1.dsc
 22d4d7977dfff237f8e0aa3e4ebaee75 104141 web optional phpsysinfo_2.1.orig.tar.gz
 966612f8eaa0675afcfcbf8e048f2bef 3601 web optional phpsysinfo_2.1-1.diff.gz
 83a709965f025b94e151453e1b0cd7a0 92612 web optional phpsysinfo_2.1-1_all.deb

Version: GnuPG v1.2.3 (GNU/Linux)


Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Wed Apr 16 11:19:37 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.