Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:1167
HistoryJan 16, 2001 - 12:00 a.m.

PHP Security Advisory - Apache Module bugs

2001-01-1600:00:00
vulners.com
20

Problems

[1] PHP supports a configuration mechanism that allows users to configure
PHP directives on a per-directory basis. Under Apache, this is usually
done using .htaccess files. Due to a bug in the Apache module version of
PHP, remote 'malicious users' might be able to create a special HTTP
request that would cause PHP to serve the next page with the wrong values
for these directives. In certain (fairly rare) situations, this could
result in a security problem.

[2] PHP supports the ability to be installed, and yet disabled, by setting
the configuration option 'engine = off'. Due to a bug in the Apache module
version of PHP, if one or more virtual hosts within a single Apache server
were configured with engine=off, this value could 'propagate' to other
virtual hosts. Because setting this option to 'off' disables execution of
PHP scripts, the source code of the scripts could end up being sent to the
end clients.

Impact

Even though in their worst-case situations these problems could have severe
implications, these worst-cases are rare. In order to take advantage of
problem #1, the attacker must have good knowledge of the structure of the
site, the values of the various PHP directives in each directory, and a way
that would help him exploit the bug using this knowledge. In addition, he
must also be lucky enough to perform the attack on the same Apache httpd
process that he exploits in a prior request, which can be very difficult to
do on a busy site.
Problem #2 is more serious, but because of its severity, it's most often
detected immediately. This problem also only affects a setup that has
multiple virtual hosts with some of them configured not to allow execution
of PHP scripts, which is pretty rare.

Affected Software Versions

All versions of PHP 4.0, from PHP 4.0.0 (and possibly earlier betas)
through PHP 4.0.4 are vulnerable to these problems. Note that only the
Apache module version of PHP is vulnerable - the CGI module as well as
other server modules are NOT affecgted.

PHP 3.0 is NOT affected.

Solution

The recommended solution is to upgrade to PHP 4.0.4pl1, available at
http://www.php.net/downloads.php

A workaround for problem #2 is to explicitly set 'engine=on' on all of the
virtual hosts that are supposed to serve PHP pages, if one or more virtual
hosts is configured with engine=off.

A partial workaround for problem #1 is to disallow 'OPTIONS' requests.

Acknowledgements

I'd like to thank James Moore, which, after hearing about the bug report,
managed to successfully reproduce it, and issue a pin-pointing problem
description, that helped solve the bug instantly.

Zeev

PHP Group
http://www.php.net/