Your Daily Source for Apache News and Information |
Breaking News | Preferences | Contribute | Triggers | Link Us | Search | About |
(From the BugTraq mailing list; HTML encoding added.)
Date: Fri, 12 Jan 2001 21:14:10 +0200 From: Zeev Suraski To: BUGTRAQ@SECURITYFOCUS.COM Subject: PHP Security Advisory - Apache Module bugs
[2] PHP supports the ability to be installed, and yet disabled, by setting the configuration option 'engine = off'. Due to a bug in the Apache module version of PHP, if one or more virtual hosts within a single Apache server were configured with engine=off, this value could 'propagate' to other virtual hosts. Because setting this option to 'off' disables execution of PHP scripts, the source code of the scripts could end up being sent to the end clients.
Problem #2 is more serious, but because of its severity, it's most often detected immediately. This problem also only affects a setup that has multiple virtual hosts with some of them configured not to allow execution of PHP scripts, which is pretty rare.
PHP 3.0 is *NOT* affected.
A workaround for problem #2 is to explicitly set 'engine=on' on all of the virtual hosts that are supposed to serve PHP pages, if one or more virtual hosts is configured with engine=off.
A partial workaround for problem #1 is to disallow 'OPTIONS' requests.
Zeev PHP Group http://www.php.net/">http://www.php.net/ -- Zeev Suraski CTO & co-founder, Zend Technologies Ltd. http://www.zend.com/
Related Stories:
PHP Security Advisory - File Uploads(Sep 11, 2000)
About Triggers | Newsletters | Media Kit | Security | Triggers | Login |
internet.com Privacy Policy All times are recorded in UTC. Linux is a trademark of Linus Torvalds. Powered by Linux 2.2.12, Apache 1.3.9. and PHP 3.14 © Copyright 2000, internet.com Corp. All Rights Reserved.Legal Notices. |