Google Groups

Serious vulnerability in Minify

Steve Clay Jul 23, 2013 2:00 PM
Posted in group: Minify support

On some systems running Minify, an attacker may be able to reveal the contents of
arbitrary files. You are strongly advised to follow the instructions below to manually
patch your system, and upgrade to Minify 2.1.7 when possible.


All versions within 2.x are likely affected, and all can be patched via the instructions


Open /min/index.php. A comment block begins on line 2.

Insert a line break so that the comment begins on line 3.

Copy and paste the following code onto line 2:

     if (isset($_GET['f'])) {
         $_GET['f'] = str_replace("\x00", '', (string)$_GET['f']);

Save the file.


On some PHP systems, file system functions accept parameters containing null bytes
("\x00"), but do not handle them correctly. See:

An attacker may be able to use Minify to reveal the contents of any file PHP has access to
within the document root, including sensitive configuration files.

Thanks to Matt Mecham for reporting this vulnerability.

MINIFY 2.1.7

You are strongly encouraged to upgrade to Minify 2.1.7, available at these URLS:


For further support, email

Steve Clay