Title 17/2/2002 PHP for Windows Arbitrary Files Execution (GIF, MP3) Summary Through PHP.EXE, an attacker can cause PHP to interpret any file as a PHP file, even if its extensions are not PHP. This would enable the remote attacker to execute arbitrary commands, leading to a system compromise. Details Vulnerable systems: PHP version 4.1.1 under Windows PHP version 4.0.4 under Windows An attacker can upload innocent looking files (with mp3, txt or gif extensions) through any uploading systems such as WebExplorer (or any other PHP program that has uploading capabilities), and then request PHP to execute it. Example: After uploading a file a "gif" extension (in our example huh.gif) that contains PHP code such as: #------------ #------------ An attacker can type the following address to get in to cause the PHP file to be executed: http://www.example.com/php/php.exe/UPLOAD_DIRECTORY/huh.gif Notice: php/php.exe is included in the URL. Additional information The information has been provided by CompuMe and RootExtractor.