Stay Secure with the Latest Linux Advisories

security advisoryGentoonormal severity

Gentoo: GLSA-200402-01 Normal: PHP Setting Leak in Apache Virtual Hosts

If the server configuration "php.ini" file has "register_globals = on" and a request is made to one virtual host (which has "php_admin_flag register_globals off") and the next request is sent to the another virtual host (which does not have the setting) through the same apache [More...]. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200402-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ~ https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ~ Severity: Normal ~ Title: PHP setting leaks from .htaccess files on virtual hosts ~ Date: February 07, 2004 ~ Bugs: #39952 ~ ID: 200402-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= If the server configuration "php.ini" file has "register_globals = on" and a request is made to one virtual host (which has "php_admin_flag register_globals off") and the next request is sent to the another virtual host (which does not have the setting) through the same apache child, the setting will persist. This may lead to leaks of global variables. Background ========= PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. Description ========== If the server configuration "php.ini" file has "register_globals = on" and a request is made to one virtual host (which has "php_admin_flag register_globals off") and the next request is sent to the another virtual host (which does not have the setting) through the same Apache child, the setting will persist. Impact ===== Depending on the server and site, an attacker may be able to exploit global variables to gain access to reserved areas, such as MySQL passwords, or this vulnerability may simply cause a lack of functionality. As a result,users are urged to upgrade their PHP installations. Gentoo ships PHP with "register_globals" set to "off" by default. This issue affects both servers running Apache 1.x and servers running Apache 2.x. Workaround ========= No immediate workaround is available; a software upgrade is required. Resolution ========= All users are recommended to upgrade their mod_php installation to 4.3.4-r4: ~ # emerge sync ~ # emerge -pv "> =dev-php/mod_php-4.3.4-r4" ~ # emerge "> =dev-php/mod_php-4.3.4-r4" Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to This email address is being protected from spambots. You need JavaScript enabled to view it. or alternatively, you may file a bug at https://bugs.gentoo.org/. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - iD8DBQFAJDkqMMXbAy2b2EIRAhRMAJ9SDV/WHYdUDqADIp29JmqGeFQszQCdFvRV nCYFaIKKbzwJKHa9IUa2fvk=SM5z -----END PGP SIGNATURE----- . Delve into Gentoo's notification regarding PHP configurations exposed through .htaccess files, accentuating potential security flaws and outlining steps for improvement.. Gentoo Security Advisory, PHP Configuration Leak, Apache Security Risk. . LinuxSecurity.com Team

Feb 07, 2004 Gentoo