Home page logo

bugtraq logo Bugtraq mailing list archives

Re: PHP Security Advisory - Apache Module bugs
From: James Moore <jmoore () PHP NET>
Date: Tue, 16 Jan 2001 20:40:02 -0000

On 12/Jan/2001, Zeev Suraski wrote:

[2] PHP supports the ability to be installed, and yet disabled,
by setting
the configuration option 'engine = off'.  Due to a bug in the
Apache module
version of PHP, if one or more virtual hosts within a single
Apache server
were configured with engine=off, this value could 'propagate' to other
virtual hosts.  Because setting this option to 'off' disables
execution of

I've been using for some months this settings (php default off, and then
enabling it in the virtualdomains that I want) and I've had no problem at
all ...

Are there any more known circumstances when it happens ??

OK what could happen in your system is that the php engine could be turned
on for some hosts you did not want it to be turned on for, this case was not
tested for by the QA team.

It all depends on where you set your engine off.

Case 1: If you have set it off in the php.ini file then some of the virtual
servers you did not want to have the PHP
        engine on for could infact have the engine turned on.

Case 2: If you have set the option using php_value engine off in your
default (main) server configuration in
        httpd.conf then your setup will not be effected.

If you do find your setup is effected in this way then you can use the
reverse of Zeev's work around and place the line php_value engine off in
your main server configuration section of your httpd.conf

James Moore
PHP Quality Assurance Team
jmoore () php net

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]