ID: 14909 Updated by: imajes Reported By: [EMAIL PROTECTED] Old Status: Open Status: Critical Old Bug Type: Documentation problem Bug Type: Apache related Operating System: Windows PHP Version: 4.1.1 Assigned To: [EMAIL PROTECTED] New Comment:
Ok, I have checked in a newer, cleaner version of the relevant documentation. As far as the guidelines go, configuring php and apache like that is a massive security risk, (since we've been recommending all production level sites to create a script alias for /php/ and mapping that to their php directory), so I appeal to the apache people (Jimw, etc) to look into ways of fixing it so you don't have to use a scriptalias and action. (or use action with an absolute path). This is a pretty urgent problem, so i'm going to mark this bug as critical and move it to Apache Related. Previous Comments: ------------------------------------------------------------------------ [2002-01-07 12:02:52] [EMAIL PROTECTED] Georg, our security section has a link to that CERT advisory for quite a long time now. I have added a warning and a link to the particular security page to that setup instruction page for Apache windows. Please give better instructions for CGI setups under windows if you can. A setup, where PHP sritps are portable, so no #!c:\php\php.exe type of method is doable... Maybe James can find another way. The Apache doc only documents the methods we have in the install and security chapters... --- Goba ------------------------------------------------------------------------ [2002-01-07 09:46:58] [EMAIL PROTECTED] Actually, our documentation tells win32 users to install that way. I'm investigating a better method right now, and will patch the documentation in a short while. I knew i forgot to do something after i updated my win32 last week! ------------------------------------------------------------------------ [2002-01-07 09:41:20] [EMAIL PROTECTED] Unbelievable, why do you set your cgi-binary in the document root tree!? See http://www.cert.org/advisories/CA-1996-11.html ------------------------------------------------------------------------ [2002-01-07 09:34:04] [EMAIL PROTECTED] Well you should have already heard about this but I'll report it anyway becoz we all need a fix very fast! Well when you do this: http://www.example.com/php/php.exe?c:\winnt\repair\sam (this is an example, you can view any file) it will return the files contents! This happens with ANY windows versions...i don't think it affects linux. Also this will return the install path of PHP: http://www.example.com/php/php4ts.dll could you please get a path/new vesion out ASAP! This is extremly serious! ------------------------------------------------------------------------ Edit this bug report at http://bugs.php.net/?id=14909&edit=1 -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
