lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <294976436.20040208005027@cs.msu.su>
Date: Sun, 8 Feb 2004 00:50:27 +0300
From: Alexander GQ Gerasiov <bugtaq@...pp.ru>
To: bugtraq@...urityfocus.com
Subject: Re: [ GLSA 200402-01 ] PHP setting leaks from .htaccess files on virtual hosts


Hello Tim,

7 февраля 2004 г. you wrote:

TY> Synopsis
TY> ========

TY> If the server configuration "php.ini" file has "register_globals = on"
TY> and a request is made to one virtual host (which has "php_admin_flag
TY> register_globals off") and the next request is sent to the another
TY> virtual host (which does not have the setting) through the same apache
TY> child, the setting will persist. This may lead to leaks of global variables.

TY> Background
TY> ==========

TY> PHP is a widely-used general-purpose scripting language that is
TY> especially suited for Web development and can be embedded into HTML.

TY> Description
TY> ===========

TY> If the server configuration "php.ini" file has "register_globals = on"
TY> and a request is made to one virtual host (which has "php_admin_flag
TY> register_globals off") and the next request is sent to the another
TY> virtual host (which does not have the setting) through the same Apache
TY> child, the setting will persist.
I think I had the same problem with safe_mode_include_dir which was set in
<Directory> section of httpd.conf
May be I'm wrong, but problem looks very similar.

-- 
Best regards,
 Alexander GQ Gerasiov <bugtaq@...pp.ru>





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ