Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: PHP :: php6.htm

PHP 4.0.0...4.0.4 users can configure PHP directives on a per-directory basis



    PHP 4.0.0...4.0.4


    Zeev  Suraski  found  following.   PHP  supports  a  configuration
    mechanism  that  allows  users  to  configure  PHP directives on a
    per-directory basis.   Under Apache,  this is  usually done  using
    .htaccess files.   Due to a  bug in the  Apache module version  of
    PHP, remote 'malicious  users' might be  able to create  a special
    HTTP request that would cause PHP to serve the next page with  the
    wrong  values  for  these  directives.   In  certain (fairly rare)
    situations, this could result in a security problem.

    PHP supports  the ability  to be  installed, and  yet disabled, by
    setting the configuration option 'engine = off'.  Due to a bug  in
    the Apache  module version  of PHP,  if one  or more virtual hosts
    within a  single Apache  server were  configured with  engine=off,
    this  value  could  'propagate'  to  other virtual hosts.  Because
    setting this option  to 'off' disables  execution of PHP  scripts,
    the source code of the scripts could end up being sent to the  end

    Even though  in their  worst-case situations  these problems could
    have severe implications,  these worst-cases are  rare.  In  order
    to  take  advantage  of  problem  #1,  the attacker must have good
    knowledge of the structure of the site, the values of the  various
    PHP directives in  each directory, and  a way that  would help him
    exploit the bug using this  knowledge.  In addition, he  must also
    be lucky  enough to  perform the  attack on  the same Apache httpd
    process that  he exploits  in a  prior request,  which can be very
    difficult to do on a busy site.

    Problem #2 is more serious, but because of its severity, it's most
    often  detected  immediately.   This  problem  also only affects a
    setup that has multiple virtual hosts with some of them configured
    not to allow execution of PHP scripts, which is pretty rare.

    Affected software versions are all  versions of PHP 4.0, from  PHP
    4.0.0  (and  possibly  earlier   betas)  through  PHP  4.0.4   are
    vulnerable to these  problems.  Note  that only the  Apache module
    version of PHP  is vulnerable -  the CGI module  as well as  other
    server modules are *NOT* affecgted.

    PHP 3.0 is *NOT* affected.


    The recommended solution is to upgrade to PHP 4.0.4pl1,  available

    A workaround for  problem #2 is  to explicitly set  'engine=on' on
    all of the virtual hosts that are supposed to serve PHP pages,  if
    one or more virtual hosts is configured with engine=off.

    A  partial  workaround  for  problem  #1  is to disallow 'OPTIONS'

    For Linux-Mandrake:

        Linux-Mandrake 7.2: 7.2/RPMS/mod_php-4.0.4pl1-1.2mdk.i586.rpm

    For Conectiva Linux:

    For RedHat:

    For Debian:

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH