| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: rover at tob.ru (Sergei Golod) Subject: [ GLSA 200402-01 ] PHP setting leaks from .htaccess files on virtual hosts This bug was discussed at http://bugs.php.net/bug.php?id=25753. We are talking about same bug? ----- Original Message ----- From: "Tim Yamin" <plasmaroo@...too.org> To: <bugtraq@...urityfocus.com>; <full-disclosure@...ts.netsys.com>; <security-alerts@...uxsecurity.com>; <gentoo-core@...too.org>; <gentoo-announce@...too.org> Sent: Saturday, February 07, 2004 6:02 AM Subject: [Full-Disclosure] [ GLSA 200402-01 ] PHP setting leaks from .htaccess files on virtual hosts > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > Gentoo Linux Security Advisory GLSA 200402-01 > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > ~ http://security.gentoo.org > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > ~ Severity: Normal > ~ Title: PHP setting leaks from .htaccess files on virtual hosts > ~ Date: February 07, 2004 > ~ Bugs: #39952 > ~ ID: 200402-01 > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > Synopsis > ======== > > If the server configuration "php.ini" file has "register_globals = on" > and a request is made to one virtual host (which has "php_admin_flag > register_globals off") and the next request is sent to the another > virtual host (which does not have the setting) through the same apache > child, the setting will persist. This may lead to leaks of global variables. > > Background > ========== > > PHP is a widely-used general-purpose scripting language that is > especially suited for Web development and can be embedded into HTML. > > Description > =========== > > If the server configuration "php.ini" file has "register_globals = on" > and a request is made to one virtual host (which has "php_admin_flag > register_globals off") and the next request is sent to the another > virtual host (which does not have the setting) through the same Apache > child, the setting will persist. > > Impact > ====== > > Depending on the server and site, an attacker may be able to exploit > global variables to gain access to reserved areas, such as MySQL > passwords, or this vulnerability may simply cause a lack of > functionality. As a result, users are urged to upgrade their PHP > installations. > > Gentoo ships PHP with "register_globals" set to "off" by default. > > This issue affects both servers running Apache 1.x and servers running > Apache 2.x. > > Workaround > ========== > > No immediate workaround is available; a software upgrade is required. > > Resolution > ========== > > All users are recommended to upgrade their mod_php installation to 4.3.4-r4: > > ~ # emerge sync > ~ # emerge -pv ">=dev-php/mod_php-4.3.4-r4" > ~ # emerge ">=dev-php/mod_php-4.3.4-r4" > > Concerns? > ========= > > Security is a primary focus of Gentoo Linux and ensuring the > confidentiality and security of our users machines is of utmost > importance to us. Any security concerns should be addressed to > security@...too.org or alternatively, you may file a bug at > http://bugs.gentoo.org. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.1 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFAJDkqMMXbAy2b2EIRAhRMAJ9SDV/WHYdUDqADIp29JmqGeFQszQCdFvRV > nCYFaIKKbzwJKHa9IUa2fvk= > =SM5z > -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists