The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


PHP Security Advisory - Apache Module bugs


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Fri, 12 Jan 2001 21:14:10 +0200
From: Zeev Suraski <[email protected]>
To: [email protected]
Subject: PHP Security Advisory - Apache Module bugs

Problems
=========

[1] PHP supports a configuration mechanism that allows users to configure
PHP directives on a per-directory basis.  Under Apache, this is usually
done using .htaccess files.  Due to a bug in the Apache module version of
PHP, remote 'malicious users' might be able to create a special HTTP
request that would cause PHP to serve the next page with the wrong values
for these directives.  In certain (fairly rare) situations, this could
result in a security problem.

[2] PHP supports the ability to be installed, and yet disabled, by setting
the configuration option 'engine = off'.  Due to a bug in the Apache module
version of PHP, if one or more virtual hosts within a single Apache server
were configured with engine=off, this value could 'propagate' to other
virtual hosts.  Because setting this option to 'off' disables execution of
PHP scripts, the source code of the scripts could end up being sent to the
end clients.


Impact
=======

Even though in their worst-case situations these problems could have severe
implications, these worst-cases are rare.  In order to take advantage of
problem #1, the attacker must have good knowledge of the structure of the
site, the values of the various PHP directives in each directory, and a way
that would help him exploit the bug using this knowledge.  In addition, he
must also be lucky enough to perform the attack on the same Apache httpd
process that he exploits in a prior request, which can be very difficult to
do on a busy site.
Problem #2 is more serious, but because of its severity, it's most often
detected immediately.  This problem also only affects a setup that has
multiple virtual hosts with some of them configured not to allow execution
of PHP scripts, which is pretty rare.


Affected Software Versions

All versions of PHP 4.0, from PHP 4.0.0 (and possibly earlier betas) through PHP 4.0.4 are vulnerable to these problems. Note that only the Apache module version of PHP is vulnerable - the CGI module as well as other server modules are *NOT* affecgted. PHP 3.0 is *NOT* affected. Solution ======== The recommended solution is to upgrade to PHP 4.0.4pl1, available at http://www.php.net/downloads.php A workaround for problem #2 is to explicitly set 'engine=on' on all of the virtual hosts that are supposed to serve PHP pages, if one or more virtual hosts is configured with engine=off. A partial workaround for problem #1 is to disallow 'OPTIONS' requests. Acknowledgements
I'd like to thank James Moore, which, after hearing about the bug report, managed to successfully reproduce it, and issue a pin-pointing problem description, that helped solve the bug instantly. Zeev PHP Group http://www.php.net/ -- Zeev Suraski <[email protected]> CTO & co-founder, Zend Technologies Ltd. http://www.zend.com/

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру