[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : PHP Apache Module Bug

Title: PHP Apache Module Bug
Released by: PHP Group
Date: 15th January 2001
Printable version: Click here
Problems

=========



[1] PHP supports a configuration mechanism that allows users to configure

PHP directives on a per-directory basis.  Under Apache, this is usually

done using .htaccess files.  Due to a bug in the Apache module version of

PHP, remote 'malicious users' might be able to create a special HTTP

request that would cause PHP to serve the next page with the wrong values

for these directives.  In certain (fairly rare) situations, this could

result in a security problem.



[2] PHP supports the ability to be installed, and yet disabled, by setting

the configuration option 'engine = off'.  Due to a bug in the Apache module

version of PHP, if one or more virtual hosts within a single Apache server

were configured with engine=off, this value could 'propagate' to other

virtual hosts.  Because setting this option to 'off' disables execution of

PHP scripts, the source code of the scripts could end up being sent to the

end clients.





Impact

=======



Even though in their worst-case situations these problems could have severe

implications, these worst-cases are rare.  In order to take advantage of

problem #1, the attacker must have good knowledge of the structure of the

site, the values of the various PHP directives in each directory, and a way

that would help him exploit the bug using this knowledge.  In addition, he

must also be lucky enough to perform the attack on the same Apache httpd

process that he exploits in a prior request, which can be very difficult to

do on a busy site.

Problem #2 is more serious, but because of its severity, it's most often

detected immediately.  This problem also only affects a setup that has

multiple virtual hosts with some of them configured not to allow execution

of PHP scripts, which is pretty rare.





Affected Software Versions

===========================



All versions of PHP 4.0, from PHP 4.0.0 (and possibly earlier betas)

through PHP 4.0.4 are vulnerable to these problems.  Note that only the

Apache module version of PHP is vulnerable - the CGI module as well as

other server modules are *NOT* affecgted.



PHP 3.0 is *NOT* affected.





Solution

========



The recommended solution is to upgrade to PHP 4.0.4pl1, available at

http://www.php.net/downloads.php



A workaround for problem #2 is to explicitly set 'engine=on' on all of the

virtual hosts that are supposed to serve PHP pages, if one or more virtual

hosts is configured with engine=off.



A partial workaround for problem #1 is to disallow 'OPTIONS' requests.





Acknowledgements

==================



I'd like to thank James Moore, which, after hearing about the bug report,

managed to successfully reproduce it, and issue a pin-pointing problem

description, that helped solve the bug instantly.





Zeev





PHP Group

http://www.php.net/



--

Zeev Suraski 

CTO &  co-founder, Zend Technologies Ltd. http://www.zend.com/








(C) 1999-2000 All rights reserved.