Apache Today [Your Apache News Source]
Your Daily Source for Apache News and Information  
Breaking News Preferences Contribute Triggers Link Us Search About
To internet.com

Apache HTTPD Links
The Java Apache Project
Apache XML Project
Apache Project
The Apache Software Foundation
The Jakarta Project
Apache-Perl Integration Project
PHP Server Side Scripting
Apache-Related Projects
ApacheCon
The Apache FAQ
Apache Module Registry
The Linux Channel at internet.com
Linux Programming
Linux Planet
Linux Central
Just Linux
PHPBuilder
Enterprise Linux Today
Linux Start
Apache Today
BSD Today
Linuxnewbie.org
BSD Central
Linux Today
All Linux Devices
Linux Apps
SITE DESCRIPTIONS
BugTraq: PHP Security Advisory - Apache Module bugs
Jan 15, 2001, 18 :54 UTC (1 Talkback[s]) (1223 reads) (Other stories by Zeev Suraski)

(From the BugTraq mailing list; HTML encoding added.)

Date: Fri, 12 Jan 2001 21:14:10 +0200
From: Zeev Suraski 
To: [email protected]
Subject: PHP Security Advisory - Apache Module bugs

Problems

[1] PHP supports a configuration mechanism that allows users to configure PHP directives on a per-directory basis. Under Apache, this is usually done using .htaccess files. Due to a bug in the Apache module version of PHP, remote 'malicious users' might be able to create a special HTTP request that would cause PHP to serve the next page with the wrong values for these directives. In certain (fairly rare) situations, this could result in a security problem.

[2] PHP supports the ability to be installed, and yet disabled, by setting the configuration option 'engine = off'. Due to a bug in the Apache module version of PHP, if one or more virtual hosts within a single Apache server were configured with engine=off, this value could 'propagate' to other virtual hosts. Because setting this option to 'off' disables execution of PHP scripts, the source code of the scripts could end up being sent to the end clients.

Impact

Even though in their worst-case situations these problems could have severe implications, these worst-cases are rare. In order to take advantage of problem #1, the attacker must have good knowledge of the structure of the site, the values of the various PHP directives in each directory, and a way that would help him exploit the bug using this knowledge. In addition, he must also be lucky enough to perform the attack on the same Apache httpd process that he exploits in a prior request, which can be very difficult to do on a busy site.

Problem #2 is more serious, but because of its severity, it's most often detected immediately. This problem also only affects a setup that has multiple virtual hosts with some of them configured not to allow execution of PHP scripts, which is pretty rare.

Affected Software Versions

All versions of PHP 4.0, from PHP 4.0.0 (and possibly earlier betas) through PHP 4.0.4 are vulnerable to these problems. Note that only the Apache module version of PHP is vulnerable - the CGI module as well as other server modules are *NOT* affected.

PHP 3.0 is *NOT* affected.

Solution

The recommended solution is to upgrade to PHP 4.0.4pl1, available at http://www.php.net/downloads.php

A workaround for problem #2 is to explicitly set 'engine=on' on all of the virtual hosts that are supposed to serve PHP pages, if one or more virtual hosts is configured with engine=off.

A partial workaround for problem #1 is to disallow 'OPTIONS' requests.

Acknowledgements

I'd like to thank James Moore, which, after hearing about the bug report, managed to successfully reproduce it, and issue a pin-pointing problem description, that helped solve the bug instantly.

Zeev


PHP Group
http://www.php.net/">http://www.php.net/

--
Zeev Suraski 
CTO &  co-founder, Zend Technologies Ltd. http://www.zend.com/

Related Stories:
PHP Security Advisory - File Uploads(Sep 11, 2000)

  Current Newswire:
SECURITY: Apache 1.3 Security Fix Available for Win32/OS2 users

Covalent Technologies Named to Upside Magazine's Hot 100

PR: New Max Server Pages Is Free Server-Side Web Scripting Xbase Option for Apache

Using Macromedia UltraDev with PostgreSQL, Tomcat and Apache

NewbieNetwork: Using Aggregate Functions and Operators in PostgreSQL

ZDNet: PHP and Zend

PHP DevCenter: Common PHP Installation Problems

FoxServ v1.0 Apache/MySQL/PHP Installer for Window

eWEEK: Apache 2.0 scales to Windows

Apache Week issue 244 (27th April 2001)

 Talkback(s) Name  Date
  .htacces
Hi,
I want to put a .httaccess in my public_html but it didn't work. The .htaccess sets php valuae auto_prepend_file and include_path. But it generate am internal server error and in logfiles php_value not allowed here?
This is about the setings for security? Why generate this errors?
  
  Feb 13, 2001, 09:08:12
Enter your comments below.
Your Name: Your Email Address:


Subject: CC: [will also send this talkback to an E-Mail address]
Comments:

See our talkback-policy for or guidelines on talkback content.

About Triggers Newsletters Media Kit Security Triggers Login


internet.com
Privacy Policy
All times are recorded in UTC.
Linux is a trademark of Linus Torvalds.
Powered by Linux 2.2.12, Apache 1.3.9. and PHP 3.14
© Copyright 2000, internet.com Corp. All Rights Reserved.Legal Notices.