| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 8 Feb 2004 00:50:27 +0300 From: Alexander GQ Gerasiov <bugtaq@...pp.ru> To: bugtraq@...urityfocus.com Subject: Re: [ GLSA 200402-01 ] PHP setting leaks from .htaccess files on virtual hosts Hello Tim, 7 февраля 2004 г. you wrote: TY> Synopsis TY> ======== TY> If the server configuration "php.ini" file has "register_globals = on" TY> and a request is made to one virtual host (which has "php_admin_flag TY> register_globals off") and the next request is sent to the another TY> virtual host (which does not have the setting) through the same apache TY> child, the setting will persist. This may lead to leaks of global variables. TY> Background TY> ========== TY> PHP is a widely-used general-purpose scripting language that is TY> especially suited for Web development and can be embedded into HTML. TY> Description TY> =========== TY> If the server configuration "php.ini" file has "register_globals = on" TY> and a request is made to one virtual host (which has "php_admin_flag TY> register_globals off") and the next request is sent to the another TY> virtual host (which does not have the setting) through the same Apache TY> child, the setting will persist. I think I had the same problem with safe_mode_include_dir which was set in <Directory> section of httpd.conf May be I'm wrong, but problem looks very similar. -- Best regards, Alexander GQ Gerasiov <bugtaq@...pp.ru>
Powered by blists - more mailing lists