ID: 14751 User updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Open Bug Type: Apache related Operating System: redhat 7.1 glibc2.2.4 kernel2.4 PHP Version: 4.1.1 New Comment:
seems resolved for us. This phenomenon occurs if the SSL-VirtualHost entry's ServerName differs from the main server's ServerName (in our case nexus.mkmgmbh.com and secure.mkmgmbh.com). Anyway, this is undocumented _and_ leads to strange behaviour (as posted before, IE seems to have no problems, while Mozilla is able to download PHP-Source-Code in this case, which makes this a definite security-risk for all not-thoroughly tested Internet sites!). Jonas Maurus MKM GmbH Previous Comments: ------------------------------------------------------------------------ [2001-12-29 07:57:26] [EMAIL PROTECTED] I don't exactly understand how this happens, but with a Apache+mod_ssl server, Mozilla 0.9.7 is able to retrieve the source of a .php file, probably by sending non-standard headers. Software used: - Apache 1.3.22 - mod_ssl 2.8.5 - php 4.1.1 - VirtualHost on port 443 with SSLEngine On. - "AddHandler application/x-httpd-php .php" Test URL: https://secure.mkmgmbh.com/horde/test.php Using Internet Explorer 6, you get the compiled page, using Mozilla 0.9.7 it downloads the source, same url, different behaviour. Please note that the server uses a non-standard certificate (signed by our own CA). [Configure line: './configure' '--prefix=/httpd/php' '--with-apxs=/httpd/bin/apxs' '--with-config-file-path=/httpd/conf' '--with-gdbm=/usr' '--with-mysql=/usr' '--with-openssl=/usr' '--with-vpopmail=/home/vpopmail' '--with-gettext' '--with-xml' '--with-mcrypt=/usr' '--with-imap=/projects/serverupd/imap/imap-2001a' '--with-zlib=/usr'] ------------------------------------------------------------------------ Edit this bug report at http://bugs.php.net/?id=14751&edit=1 -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
