ID: 14909
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Critical
Bug Type: Apache related
Operating System: Windows
PHP Version: 4.1.1
Assigned To: imajes
New Comment:
For emmergency, a simple check at "auto_prepend_file" whould help:
<?PHP
if (preg_match("/^\/php\/php.exe/i",$_SERVER["REQUEST_URI"])) {
print "No Hack"; exit;
}
?>
Previous Comments:
------------------------------------------------------------------------
[2002-01-09 09:56:39] [EMAIL PROTECTED]
I have windows xp + apache + php 4.1 installed and the /php/ alias is
also definied in my httpd.conf and therefor I am also affected by this
exploit. but how can I use php WITHOUT this alias in apache conf? I
tried several things but it doesn't work.
chris, 15 =)
------------------------------------------------------------------------
[2002-01-09 02:17:17] [EMAIL PROTECTED]
so do we have to read the documentation again on how to install PHP??
have u added a fix?
------------------------------------------------------------------------
[2002-01-08 08:03:10] [EMAIL PROTECTED]
the documentation is fixed, i committed this morning/last night.
there is however a bug in the way apache handles the binary -- or the
way php acts when called as a binary (you can get premature end of
script headers).
What i would like to do is leave this open, and noticeable for some of
the apache guys to take a look at and comment on it.
The docs are fixed.... we just need to wait to see if this is a thing
to hand off to apache.
------------------------------------------------------------------------
[2002-01-08 07:16:40] [EMAIL PROTECTED]
As said by others, this is NOT a bug, but a documentation problem.
(btw: assigned to only needs your username)
------------------------------------------------------------------------
[2002-01-08 03:28:11] [EMAIL PROTECTED]
Ok,
I have checked in a newer, cleaner version of the relevant
documentation.
As far as the guidelines go, configuring php and apache like that is a
massive security risk, (since we've been recommending all production
level sites to create a script alias for /php/ and mapping that to
their php directory), so I appeal to the apache people (Jimw, etc) to
look into ways of fixing it so you don't have to use a scriptalias and
action. (or use action with an absolute path).
This is a pretty urgent problem, so i'm going to mark this bug as
critical and move it to Apache Related.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/14909
--
Edit this bug report at http://bugs.php.net/?id=14909&edit=1
