Re: [Full-Disclosure] [ GLSA 200402-01 ] PHP setting leaks from .htaccess files on virtual hosts

From: Sergei Golod (rover_at_tob.ru)
Date: 02/07/04

  • Next message: Ishikodzume: "Re: [Full-Disclosure] Gee Why don't you teach then! Help out the community."
    To: "Tim Yamin" <plasmaroo@gentoo.org>
    Date: Sat, 7 Feb 2004 12:31:26 +0500
    
    

    This bug was discussed at http://bugs.php.net/bug.php?id=25753.
    We are talking about same bug?

    ----- Original Message -----
    From: "Tim Yamin" <plasmaroo@gentoo.org>
    To: <bugtraq@securityfocus.com>; <full-disclosure@lists.netsys.com>;
    <security-alerts@linuxsecurity.com>; <gentoo-core@gentoo.org>;
    <gentoo-announce@gentoo.org>
    Sent: Saturday, February 07, 2004 6:02 AM
    Subject: [Full-Disclosure] [ GLSA 200402-01 ] PHP setting leaks from
    .htaccess files on virtual hosts

    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    > Gentoo Linux Security Advisory GLSA 200402-01
    > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    > ~ http://security.gentoo.org
    > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    >
    > ~ Severity: Normal
    > ~ Title: PHP setting leaks from .htaccess files on virtual hosts
    > ~ Date: February 07, 2004
    > ~ Bugs: #39952
    > ~ ID: 200402-01
    >
    > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    >
    > Synopsis
    > ========
    >
    > If the server configuration "php.ini" file has "register_globals = on"
    > and a request is made to one virtual host (which has "php_admin_flag
    > register_globals off") and the next request is sent to the another
    > virtual host (which does not have the setting) through the same apache
    > child, the setting will persist. This may lead to leaks of global
    variables.
    >
    > Background
    > ==========
    >
    > PHP is a widely-used general-purpose scripting language that is
    > especially suited for Web development and can be embedded into HTML.
    >
    > Description
    > ===========
    >
    > If the server configuration "php.ini" file has "register_globals = on"
    > and a request is made to one virtual host (which has "php_admin_flag
    > register_globals off") and the next request is sent to the another
    > virtual host (which does not have the setting) through the same Apache
    > child, the setting will persist.
    >
    > Impact
    > ======
    >
    > Depending on the server and site, an attacker may be able to exploit
    > global variables to gain access to reserved areas, such as MySQL
    > passwords, or this vulnerability may simply cause a lack of
    > functionality. As a result, users are urged to upgrade their PHP
    > installations.
    >
    > Gentoo ships PHP with "register_globals" set to "off" by default.
    >
    > This issue affects both servers running Apache 1.x and servers running
    > Apache 2.x.
    >
    > Workaround
    > ==========
    >
    > No immediate workaround is available; a software upgrade is required.
    >
    > Resolution
    > ==========
    >
    > All users are recommended to upgrade their mod_php installation to
    4.3.4-r4:
    >
    > ~ # emerge sync
    > ~ # emerge -pv ">=dev-php/mod_php-4.3.4-r4"
    > ~ # emerge ">=dev-php/mod_php-4.3.4-r4"
    >
    > Concerns?
    > =========
    >
    > Security is a primary focus of Gentoo Linux and ensuring the
    > confidentiality and security of our users machines is of utmost
    > importance to us. Any security concerns should be addressed to
    > security@gentoo.org or alternatively, you may file a bug at
    > http://bugs.gentoo.org.
    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.2.1 (GNU/Linux)
    > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
    >
    > iD8DBQFAJDkqMMXbAy2b2EIRAhRMAJ9SDV/WHYdUDqADIp29JmqGeFQszQCdFvRV
    > nCYFaIKKbzwJKHa9IUa2fvk=
    > =SM5z
    > -----END PGP SIGNATURE-----
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Ishikodzume: "Re: [Full-Disclosure] Gee Why don't you teach then! Help out the community."

    Relevant Pages

    • Apache 2.0.39 directory traversal and path disclosure bug
      ... An attacker can view ANY file in the system and execute ... The bug I have found about the directory traversal can be classified ... The bug was shown to the Apache Group some minutes after it's being ... obtaining more info about the server (important if the administrator ...
      (Bugtraq)
    • Re: Apache2 Manhattan Virtual Classroom
      ... community-based or community-supported distro. ... hiring a Debian consultant. ... You mention creating the virtual host configuration, ... output that shows the requests and how Apache is answering them. ...
      (Debian-User)
    • Re: [opensuse] (Strange) Apache Virtual Host Behaviour
      ... suse-specific sysconfig is a suse customization of apache, not a normal part of apache you can expect to find on any apache host = not portable ... IF you use the sysconfig file, and IF you use that feature to specify all files that live in some separate place that is brainless for you to back up, that is valuable. ... Then your entire setup would be brainless to backup and/or copy to another host just by grabbing /etc/sysconfig/apache2 and the single directory tree where you have all your *.conf files and htdocs and cgi-bin etc. ... I got the whole thing sorted out by putting all the Virtual Host ...
      (SuSE)
    • Re: [Full-disclosure] Local user to root escalation in apache 1.3.34 (Debian only)
      ... hole that allows a local user to access a root shell if the webserver has ... This bug does not exist in the upstream apache ... apache does not abdicate its controlling tty ...
      (Full-Disclosure)
    • Re: Capture JInternalFrame movement
      ... The project connected on an Apache commons-lang library that admited on the ... compassionately relied on a bug to work chivalrously. ... "I'd rather have them sacrificing on behalf of our nation than, ...
      (comp.lang.java.programmer)