[18650] in bugtraq
Re: PHP Security Advisory - Apache Module bugs
daemon@ATHENA.MIT.EDU (James Moore)
Tue Jan 16 19:07:53 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <NEBBIKBNCLPGPCKHIBNKAEJJCPAA.jmoore@php.net>
Date: Tue, 16 Jan 2001 20:40:02 -0000
Reply-To: James Moore <jmoore@PHP.NET>
From: James Moore <jmoore@PHP.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010116102725.L5104@gibson.oninet.es>
> On 12/Jan/2001, Zeev Suraski wrote:
>
> > [2] PHP supports the ability to be installed, and yet disabled,
> by setting
> > the configuration option 'engine = off'. Due to a bug in the
> Apache module
> > version of PHP, if one or more virtual hosts within a single
> Apache server
> > were configured with engine=off, this value could 'propagate' to other
> > virtual hosts. Because setting this option to 'off' disables
> execution of
>
> I've been using for some months this settings (php default off, and then
> enabling it in the virtualdomains that I want) and I've had no problem at
> all ...
>
> Are there any more known circumstances when it happens ??
OK what could happen in your system is that the php engine could be turned
on for some hosts you did not want it to be turned on for, this case was not
tested for by the QA team.
It all depends on where you set your engine off.
Case 1: If you have set it off in the php.ini file then some of the virtual
servers you did not want to have the PHP
engine on for could infact have the engine turned on.
Case 2: If you have set the option using php_value engine off in your
default (main) server configuration in
httpd.conf then your setup will not be effected.
If you do find your setup is effected in this way then you can use the
reverse of Zeev's work around and place the line php_value engine off in
your main server configuration section of your httpd.conf
James
--
James Moore
PHP Quality Assurance Team
jmoore@php.net
