ID: 14909
Comment by: [EMAIL PROTECTED]
Old Reported By: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Critical
Bug Type: Apache related
Operating System: Windows
PHP Version: 4.1.1
Assigned To: imajes
New Comment:
I have windows xp + apache + php 4.1 installed and the /php/ alias is
also definied in my httpd.conf and therefor I am also affected by this
exploit. but how can I use php WITHOUT this alias in apache conf? I
tried several things but it doesn't work.
chris, 15 =)
Previous Comments:
------------------------------------------------------------------------
[2002-01-09 02:17:17] [EMAIL PROTECTED]
so do we have to read the documentation again on how to install PHP??
have u added a fix?
------------------------------------------------------------------------
[2002-01-08 08:03:10] [EMAIL PROTECTED]
the documentation is fixed, i committed this morning/last night.
there is however a bug in the way apache handles the binary -- or the
way php acts when called as a binary (you can get premature end of
script headers).
What i would like to do is leave this open, and noticeable for some of
the apache guys to take a look at and comment on it.
The docs are fixed.... we just need to wait to see if this is a thing to
hand off to apache.
------------------------------------------------------------------------
[2002-01-08 07:16:40] [EMAIL PROTECTED]
As said by others, this is NOT a bug, but a documentation problem.
(btw: assigned to only needs your username)
------------------------------------------------------------------------
[2002-01-08 03:28:11] [EMAIL PROTECTED]
Ok,
I have checked in a newer, cleaner version of the relevant
documentation.
As far as the guidelines go, configuring php and apache like that is a
massive security risk, (since we've been recommending all production
level sites to create a script alias for /php/ and mapping that to their
php directory), so I appeal to the apache people (Jimw, etc) to look
into ways of fixing it so you don't have to use a scriptalias and
action. (or use action with an absolute path).
This is a pretty urgent problem, so i'm going to mark this bug as
critical and move it to Apache Related.
------------------------------------------------------------------------
[2002-01-07 12:02:52] [EMAIL PROTECTED]
Georg, our security section has a link to that CERT
advisory for quite a long time now. I have added a
warning and a link to the particular security page
to that setup instruction page for Apache windows.
Please give better instructions for CGI setups
under windows if you can. A setup, where PHP
sritps are portable, so no #!c:\php\php.exe type
of method is doable...
Maybe James can find another way. The Apache doc
only documents the methods we have in the install
and security chapters...
---
Goba
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/?id=14909
Edit this bug report at http://bugs.php.net/?id=14909&edit=1
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
