5959018 2001-01-12 21:14 +0200  /84 rader/ Zeev Suraski <zeev@ZEND.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-15  18:26  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: zeev@ZEND.COM
Mottagare: Bugtraq (import) <14799>
Ärende: PHP Security Advisory - Apache Module bugs
------------------------------------------------------------
From: Zeev Suraski <zeev@ZEND.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <5.0.2.1.2.20010112204410.021d1ff8@mail.zend.com>

Problems
=========

[1] PHP supports a configuration mechanism that allows users to
configure PHP directives on a per-directory basis.  Under Apache,
this is usually done using .htaccess files.  Due to a bug in the
Apache module version of PHP, remote 'malicious users' might be able
to create a special HTTP request that would cause PHP to serve the
next page with the wrong values for these directives.  In certain
(fairly rare) situations, this could result in a security problem.

[2] PHP supports the ability to be installed, and yet disabled, by
setting the configuration option 'engine = off'.  Due to a bug in the
Apache module version of PHP, if one or more virtual hosts within a
single Apache server were configured with engine=off, this value
could 'propagate' to other virtual hosts.  Because setting this
option to 'off' disables execution of PHP scripts, the source code of
the scripts could end up being sent to the end clients.


Impact
=======

Even though in their worst-case situations these problems could have
severe implications, these worst-cases are rare.  In order to take
advantage of problem #1, the attacker must have good knowledge of the
structure of the site, the values of the various PHP directives in
each directory, and a way that would help him exploit the bug using
this knowledge.  In addition, he must also be lucky enough to perform
the attack on the same Apache httpd process that he exploits in a
prior request, which can be very difficult to do on a busy site.
Problem #2 is more serious, but because of its severity, it's most
often detected immediately.  This problem also only affects a setup
that has multiple virtual hosts with some of them configured not to
allow execution of PHP scripts, which is pretty rare.


Affected Software Versions
===========================

All versions of PHP 4.0, from PHP 4.0.0 (and possibly earlier betas)
through PHP 4.0.4 are vulnerable to these problems.  Note that only
the Apache module version of PHP is vulnerable - the CGI module as
well as other server modules are *NOT* affecgted.

PHP 3.0 is *NOT* affected.


Solution
========

The recommended solution is to upgrade to PHP 4.0.4pl1, available at
http://www.php.net/downloads.php

A workaround for problem #2 is to explicitly set 'engine=on' on all
of the virtual hosts that are supposed to serve PHP pages, if one or
more virtual hosts is configured with engine=off.

A partial workaround for problem #1 is to disallow 'OPTIONS' requests.


Acknowledgements
==================

I'd like to thank James Moore, which, after hearing about the bug
report, managed to successfully reproduce it, and issue a
pin-pointing problem description, that helped solve the bug instantly.


Zeev


PHP Group
http://www.php.net/

--
Zeev Suraski <zeev@zend.com>
CTO &  co-founder, Zend Technologies Ltd. http://www.zend.com/
(5959018) --------------------------------(Ombruten)
5965303 2001-01-16 20:40 +0000  /47 rader/ James Moore <jmoore@PHP.NET>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-17  01:52  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: jmoore@PHP.NET
Mottagare: Bugtraq (import) <14848>
Kommentar till text 5964527 av Javi Polo <javipolo@ONINET.ES>
Ärende: Re: PHP Security Advisory - Apache Module bugs
------------------------------------------------------------
From: James Moore <jmoore@PHP.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <NEBBIKBNCLPGPCKHIBNKAEJJCPAA.jmoore@php.net>

> On 12/Jan/2001, Zeev Suraski wrote:
>
> > [2] PHP supports the ability to be installed, and yet disabled,
> by setting
> > the configuration option 'engine = off'.  Due to a bug in the
> Apache module
> > version of PHP, if one or more virtual hosts within a single
> Apache server
> > were configured with engine=off, this value could 'propagate' to other
> > virtual hosts.  Because setting this option to 'off' disables
> execution of
>
> I've been using for some months this settings (php default off, and then
> enabling it in the virtualdomains that I want) and I've had no problem at
> all ...
>
> Are there any more known circumstances when it happens ??

OK what could happen in your system is that the php engine could be
turned on for some hosts you did not want it to be turned on for,
this case was not tested for by the QA team.

It all depends on where you set your engine off.

Case 1: If you have set it off in the php.ini file then some of the virtual
servers you did not want to have the PHP
        engine on for could infact have the engine turned on.

Case 2: If you have set the option using php_value engine off in your
default (main) server configuration in
        httpd.conf then your setup will not be effected.

If you do find your setup is effected in this way then you can use
the reverse of Zeev's work around and place the line php_value engine
off in your main server configuration section of your httpd.conf

James
--
James Moore
PHP Quality Assurance Team
jmoore@php.net
(5965303) --------------------------------(Ombruten)