OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Zeev Suraski (zeevZEND.COM)
Date: Fri Jan 12 2001 - 13:14:10 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Problems
    =========

    [1] PHP supports a configuration mechanism that allows users to configure
    PHP directives on a per-directory basis. Under Apache, this is usually
    done using .htaccess files. Due to a bug in the Apache module version of
    PHP, remote 'malicious users' might be able to create a special HTTP
    request that would cause PHP to serve the next page with the wrong values
    for these directives. In certain (fairly rare) situations, this could
    result in a security problem.

    [2] PHP supports the ability to be installed, and yet disabled, by setting
    the configuration option 'engine = off'. Due to a bug in the Apache module
    version of PHP, if one or more virtual hosts within a single Apache server
    were configured with engine=off, this value could 'propagate' to other
    virtual hosts. Because setting this option to 'off' disables execution of
    PHP scripts, the source code of the scripts could end up being sent to the
    end clients.

    Impact
    =======

    Even though in their worst-case situations these problems could have severe
    implications, these worst-cases are rare. In order to take advantage of
    problem #1, the attacker must have good knowledge of the structure of the
    site, the values of the various PHP directives in each directory, and a way
    that would help him exploit the bug using this knowledge. In addition, he
    must also be lucky enough to perform the attack on the same Apache httpd
    process that he exploits in a prior request, which can be very difficult to
    do on a busy site.
    Problem #2 is more serious, but because of its severity, it's most often
    detected immediately. This problem also only affects a setup that has
    multiple virtual hosts with some of them configured not to allow execution
    of PHP scripts, which is pretty rare.

    Affected Software Versions
    ===========================

    All versions of PHP 4.0, from PHP 4.0.0 (and possibly earlier betas)
    through PHP 4.0.4 are vulnerable to these problems. Note that only the
    Apache module version of PHP is vulnerable - the CGI module as well as
    other server modules are *NOT* affecgted.

    PHP 3.0 is *NOT* affected.

    Solution
    ========

    The recommended solution is to upgrade to PHP 4.0.4pl1, available at
    http://www.php.net/downloads.php

    A workaround for problem #2 is to explicitly set 'engine=on' on all of the
    virtual hosts that are supposed to serve PHP pages, if one or more virtual
    hosts is configured with engine=off.

    A partial workaround for problem #1 is to disallow 'OPTIONS' requests.

    Acknowledgements
    ==================

    I'd like to thank James Moore, which, after hearing about the bug report,
    managed to successfully reproduce it, and issue a pin-pointing problem
    description, that helped solve the bug instantly.

    Zeev

    PHP Group
    http://www.php.net/ 

    --
Zeev Suraski <zeevzend.com>
CTO &  co-founder, Zend Technologies Ltd. http://www.zend.com/