COMMAND
PHP
SYSTEMS AFFECTED
PHP 4.0.0...4.0.4
PROBLEM
Zeev Suraski found following. PHP supports a configuration
mechanism that allows users to configure PHP directives on a
per-directory basis. Under Apache, this is usually done using
.htaccess files. Due to a bug in the Apache module version of
PHP, remote 'malicious users' might be able to create a special
HTTP request that would cause PHP to serve the next page with the
wrong values for these directives. In certain (fairly rare)
situations, this could result in a security problem.
PHP supports the ability to be installed, and yet disabled, by
setting the configuration option 'engine = off'. Due to a bug in
the Apache module version of PHP, if one or more virtual hosts
within a single Apache server were configured with engine=off,
this value could 'propagate' to other virtual hosts. Because
setting this option to 'off' disables execution of PHP scripts,
the source code of the scripts could end up being sent to the end
clients.
Even though in their worst-case situations these problems could
have severe implications, these worst-cases are rare. In order
to take advantage of problem #1, the attacker must have good
knowledge of the structure of the site, the values of the various
PHP directives in each directory, and a way that would help him
exploit the bug using this knowledge. In addition, he must also
be lucky enough to perform the attack on the same Apache httpd
process that he exploits in a prior request, which can be very
difficult to do on a busy site.
Problem #2 is more serious, but because of its severity, it's most
often detected immediately. This problem also only affects a
setup that has multiple virtual hosts with some of them configured
not to allow execution of PHP scripts, which is pretty rare.
Affected software versions are all versions of PHP 4.0, from PHP
4.0.0 (and possibly earlier betas) through PHP 4.0.4 are
vulnerable to these problems. Note that only the Apache module
version of PHP is vulnerable - the CGI module as well as other
server modules are *NOT* affecgted.
PHP 3.0 is *NOT* affected.
SOLUTION
The recommended solution is to upgrade to PHP 4.0.4pl1, available
at
http://www.php.net/downloads.php
A workaround for problem #2 is to explicitly set 'engine=on' on
all of the virtual hosts that are supposed to serve PHP pages, if
one or more virtual hosts is configured with engine=off.
A partial workaround for problem #1 is to disallow 'OPTIONS'
requests.
For Linux-Mandrake:
Linux-Mandrake 7.2: 7.2/RPMS/mod_php-4.0.4pl1-1.2mdk.i586.rpm
7.2/RPMS/php-4.0.4pl1-1.2mdk.i586.rpm
7.2/RPMS/php-dba_gdbm_db2-4.0.4pl1-1.2mdk.i586.rpm
7.2/RPMS/php-devel-4.0.4pl1-1.2mdk.i586.rpm
7.2/RPMS/php-gd-4.0.4pl1-1.2mdk.i586.rpm
7.2/RPMS/php-imap-4.0.4pl1-1.2mdk.i586.rpm
7.2/RPMS/php-ldap-4.0.4pl1-1.2mdk.i586.rpm
7.2/RPMS/php-manual-4.0.4pl1-1.2mdk.i586.rpm
7.2/RPMS/php-mysql-4.0.4pl1-1.2mdk.i586.rpm
7.2/RPMS/php-pgsql-4.0.4pl1-1.2mdk.i586.rpm
7.2/RPMS/php-readline-4.0.4pl1-1.2mdk.i586.rpm
7.2/SRPMS/php-4.0.4pl1-1.2mdk.src.rpm
For Conectiva Linux:
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/php4-4.0.4pl1-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/php4-4.0.4pl1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/php4-doc-4.0.4pl1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/php4-imap-4.0.4pl1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/php4-ldap-4.0.4pl1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/php4-mysql-4.0.4pl1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/php4-pgsql-4.0.4pl1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/mod_php4-4.0.4pl1-1cl.i386.rpm
For RedHat:
ftp://updates.redhat.com/5.2/SRPMS/php-3.0.18-1.5.x.src.rpm
ftp://updates.redhat.com/5.2/alpha/php-3.0.18-1.5.x.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/php-manual-3.0.18-1.5.x.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/php-pgsql-3.0.18-1.5.x.alpha.rpm
ftp://updates.redhat.com/5.2/i386/php-3.0.18-1.5.x.i386.rpm
ftp://updates.redhat.com/5.2/i386/php-manual-3.0.18-1.5.x.i386.rpm
ftp://updates.redhat.com/5.2/i386/php-pgsql-3.0.18-1.5.x.i386.rpm
ftp://updates.redhat.com/5.2/sparc/php-3.0.18-1.5.x.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/php-manual-3.0.18-1.5.x.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/php-pgsql-3.0.18-1.5.x.sparc.rpm
ftp://updates.redhat.com/6.0/SRPMS/php-3.0.18-1.6.x.src.rpm
ftp://updates.redhat.com/6.0/i386/php-3.0.18-1.6.x.i386.rpm
ftp://updates.redhat.com/6.0/i386/php-imap-3.0.18-1.6.x.i386.rpm
ftp://updates.redhat.com/6.0/i386/php-ldap-3.0.18-1.6.x.i386.rpm
ftp://updates.redhat.com/6.0/i386/php-manual-3.0.18-1.6.x.i386.rpm
ftp://updates.redhat.com/6.0/i386/php-pgsql-3.0.18-1.6.x.i386.rpm
ftp://updates.redhat.com/6.0/sparc/php-3.0.18-1.6.x.sparc.rpm
ftp://updates.redhat.com/6.0/sparc/php-imap-3.0.18-1.6.x.sparc.rpm
ftp://updates.redhat.com/6.0/sparc/php-ldap-3.0.18-1.6.x.sparc.rpm
ftp://updates.redhat.com/6.0/sparc/php-manual-3.0.18-1.6.x.sparc.rpm
ftp://updates.redhat.com/6.0/sparc/php-pgsql-3.0.18-1.6.x.sparc.rpm
ftp://updates.redhat.com/6.1/SRPMS/php-3.0.18-1.6.x.src.rpm
ftp://updates.redhat.com/6.1/alpha/php-3.0.18-1.6.x.alpha.rpm
ftp://updates.redhat.com/6.1/alpha/php-imap-3.0.18-1.6.x.alpha.rpm
ftp://updates.redhat.com/6.1/alpha/php-ldap-3.0.18-1.6.x.alpha.rpm
ftp://updates.redhat.com/6.1/alpha/php-manual-3.0.18-1.6.x.alpha.rpm
ftp://updates.redhat.com/6.1/alpha/php-pgsql-3.0.18-1.6.x.alpha.rpm
ftp://updates.redhat.com/6.1/i386/php-3.0.18-1.6.x.i386.rpm
ftp://updates.redhat.com/6.1/i386/php-imap-3.0.18-1.6.x.i386.rpm
ftp://updates.redhat.com/6.1/i386/php-ldap-3.0.18-1.6.x.i386.rpm
ftp://updates.redhat.com/6.1/i386/php-manual-3.0.18-1.6.x.i386.rpm
ftp://updates.redhat.com/6.1/i386/php-pgsql-3.0.18-1.6.x.i386.rpm
ftp://updates.redhat.com/6.1/sparc/php-3.0.18-1.6.x.sparc.rpm
ftp://updates.redhat.com/6.1/sparc/php-imap-3.0.18-1.6.x.sparc.rpm
ftp://updates.redhat.com/6.1/sparc/php-ldap-3.0.18-1.6.x.sparc.rpm
ftp://updates.redhat.com/6.1/sparc/php-manual-3.0.18-1.6.x.sparc.rpm
ftp://updates.redhat.com/6.1/sparc/php-pgsql-3.0.18-1.6.x.sparc.rpm
ftp://updates.redhat.com/6.2/SRPMS/php-3.0.18-1.6.x.src.rpm
ftp://updates.redhat.com/6.2/alpha/php-3.0.18-1.6.x.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-imap-3.0.18-1.6.x.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-ldap-3.0.18-1.6.x.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-manual-3.0.18-1.6.x.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-pgsql-3.0.18-1.6.x.alpha.rpm
ftp://updates.redhat.com/6.2/i386/php-3.0.18-1.6.x.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-imap-3.0.18-1.6.x.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-ldap-3.0.18-1.6.x.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-manual-3.0.18-1.6.x.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-pgsql-3.0.18-1.6.x.i386.rpm
ftp://updates.redhat.com/6.2/sparc/php-3.0.18-1.6.x.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-imap-3.0.18-1.6.x.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-ldap-3.0.18-1.6.x.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-manual-3.0.18-1.6.x.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-pgsql-3.0.18-1.6.x.sparc.rpm
ftp://updates.redhat.com/7.0/SRPMS/php-4.0.4pl1-3.src.rpm
ftp://updates.redhat.com/7.0/alpha/php-4.0.4pl1-3.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/php-imap-4.0.4pl1-3.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/php-ldap-4.0.4pl1-3.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/php-manual-4.0.4pl1-3.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/php-mysql-4.0.4pl1-3.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/php-pgsql-4.0.4pl1-3.alpha.rpm
ftp://updates.redhat.com/7.0/i386/php-4.0.4pl1-3.i386.rpm
ftp://updates.redhat.com/7.0/i386/php-imap-4.0.4pl1-3.i386.rpm
ftp://updates.redhat.com/7.0/i386/php-ldap-4.0.4pl1-3.i386.rpm
ftp://updates.redhat.com/7.0/i386/php-manual-4.0.4pl1-3.i386.rpm
ftp://updates.redhat.com/7.0/i386/php-mysql-4.0.4pl1-3.i386.rpm
ftp://updates.redhat.com/7.0/i386/php-pgsql-4.0.4pl1-3.i386.rpm
For Debian:
http://security.debian.org/dists/stable/updates/main/source/php4_4.0.3pl1-0potato1.1.diff.gz
http://security.debian.org/dists/stable/updates/main/source/php4_4.0.3pl1-0potato1.1.dsc
http://security.debian.org/dists/stable/updates/main/source/php4_4.0.3pl1.orig.tar.gz
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-cgi-gd_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-cgi-imap_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-cgi-ldap_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-cgi-mhash_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-cgi-mysql_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-cgi-pgsql_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-cgi-snmp_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-cgi-xml_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-cgi_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-gd_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-imap_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-ldap_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-mhash_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-mysql_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-pgsql_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-snmp_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-xml_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-cgi-gd_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-cgi-imap_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-cgi-ldap_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-cgi-mhash_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-cgi_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-cgi-mysql_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-cgi-pgsql_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-cgi-snmp_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-cgi-xml_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-gd_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-imap_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-ldap_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-mhash_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-mysql_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-pgsql_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-snmp_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-xml_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-cgi-gd_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-cgi-imap_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-cgi-ldap_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-cgi-mhash_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-cgi-mysql_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-cgi-pgsql_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-cgi-snmp_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-cgi-xml_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-cgi_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-gd_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-imap_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-ldap_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-mhash_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-mysql_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-pgsql_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-snmp_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-xml_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-cgi-gd_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-cgi-imap_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-cgi-ldap_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-cgi-mhash_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-cgi-mysql_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-cgi-pgsql_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-cgi-snmp_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-cgi-xml_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-cgi_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-gd_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-imap_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-ldap_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-mhash_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-mysql_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-pgsql_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-snmp_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-xml_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-cgi-gd_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-cgi-imap_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-cgi-ldap_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-cgi-mhash_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-cgi-mysql_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-cgi-pgsql_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-cgi-snmp_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-cgi-xml_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-cgi_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-gd_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-imap_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-ldap_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-mhash_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-mysql_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-pgsql_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-snmp_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-xml_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4_4.0.3pl1-0potato1.1_powerpc.deb