[1] PHP supports a configuration mechanism that allows users to configure 
PHP directives on a per-directory basis.  Under Apache, this is usually 
done using .htaccess files.  Due to a bug in the Apache module version of 
PHP, remote 'malicious users' might be able to create a special HTTP 
request that would cause PHP to serve the next page with the wrong values 
for these directives.  In certain (fairly rare) situations, this could 
result in a security problem.

[2] PHP supports the ability to be installed, and yet disabled, by setting 
the configuration option 'engine = off'.  Due to a bug in the Apache module 
version of PHP, if one or more virtual hosts within a single Apache server 
were configured with engine=off, this value could 'propagate' to other 
virtual hosts.  Because setting this option to 'off' disables execution of 
PHP scripts, the source code of the scripts could end up being sent to the 
end clients.


Even though in their worst-case situations these problems could have severe 
implications, these worst-cases are rare.  In order to take advantage of 
problem #1, the attacker must have good knowledge of the structure of the 
site, the values of the various PHP directives in each directory, and a way 
that would help him exploit the bug using this knowledge.  In addition, he 
must also be lucky enough to perform the attack on the same Apache httpd 
process that he exploits in a prior request, which can be very difficult to 
do on a busy site.
Problem #2 is more serious, but because of its severity, it's most often 
detected immediately.  This problem also only affects a setup that has 
multiple virtual hosts with some of them configured not to allow execution 
of PHP scripts, which is pretty rare.

Affected Software Versions

All versions of PHP 4.0, from PHP 4.0.0 (and possibly earlier betas) 
through PHP 4.0.4 are vulnerable to these problems.  Note that only the 
Apache module version of PHP is vulnerable - the CGI module as well as 
other server modules are *NOT* affecgted.

PHP 3.0 is *NOT* affected.


The recommended solution is to upgrade to PHP 4.0.4pl1, available at

A workaround for problem #2 is to explicitly set 'engine=on' on all of the 
virtual hosts that are supposed to serve PHP pages, if one or more virtual 
hosts is configured with engine=off.

A partial workaround for problem #1 is to disallow 'OPTIONS' requests.


I'd like to thank James Moore, which, after hearing about the bug report, 
managed to successfully reproduce it, and issue a pin-pointing problem 
description, that helped solve the bug instantly.


PHP Group

Zeev Suraski <[EMAIL PROTECTED]>
CTO &  co-founder, Zend Technologies Ltd.

PHP Development Mailing List <>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to