RE: [PHP-DEV] PHP script source revealed on windows

2001-01-11 Thread James Moore 


> > I remember people talking not to long ago about PHP scripts
> > on Windows having their code revealed unpredictably. I also
> > remember the thing only seemed to occur on Windows... Has
> > any more been discovered/has this been resolved?
>
> The problem for PHP/Apache/Linux has been resolved, this fix will bein the
> upcoming 4.0.4pl1.

I would just like to add to this saying that it only occured under very very
rare circumstances (which is partaly why it took a while to track down).
Anyway the problem occured when you had multiple vhosts in httpd.conf with
one of them with php_value engine off in them, this config valuse somehow
propogated to the other vhosts, there is one very easy way to fix this
problem and that is to add php_value engine on in your default host
definition. This only effects PHP 4 under Apache module and when php
4.0.4pl1 is released in a few hours then more information on this will be
made avalible and will be posted in the appropriate places.

James
--
James Moore
PHP Quality Assurance Team
[EMAIL PROTECTED]


-- 
PHP Development Mailing List 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

[PHP-DEV] Re: Re. [PHP-DEV] PHP script source revealed on windows

2001-01-11 Thread Phil Driscoll 

Update on the .htr extension:

Here's what Microsoft have to say about what htr is:
*
What is HTR?
HTR is a first-generation advanced scripting technology that is included in
IIS 3.0. However, HTR was never widely adopted, and was superceded by Active
Server Pages (ASP) technology introduced in IIS 4.0.
*
So, basically it's just junk left over from your upgrade from IIS3.
Get rid of it!

Cheers
--
Phil Driscoll
Dial Solutions
+44 (0)113 294 5112
http://www.dialsolutions.com
http://www.dtonline.org



-- 
PHP Development Mailing List 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

[PHP-DEV] Re. [PHP-DEV] PHP script source revealed on windows

2001-01-11 Thread Phil Driscoll 

Toby wrote:
>...I ask because I just tripped over an article about IIS5
>revealing script's source if the request followed a certain
>pattern...
>http://www.ntsecurity.net/Articles/Index.cfm?ArticleID=16543

Aargh! This is a nightmare!

I've just tested on NT4 IIS4 and sure enough, if you append a +.htr to the
end of the url of a script you get sent the raw unprocessed script source.

Luckily, you only get to see the source of the script you pointed at and not
any include stuff outside the webspace so most sensible people will
hopefully be lucky enough to have their sensitive configuration information
and main program code outside the webspace. Nevertheless, if you thought the
php code in your webspace was private, forget it!

I've just done some investigating, and here's the fix (phew!).
You'll find that IIS sets up scriptmapping for the .htr extension to a dll
called ism.dll
Just get rid of the script map and the problem goes away. I don't know what
this breaks, but I don't have any .htr files so I don't really care for now!

Doing a search for ism.dll on the net has not enlightened me as to what it
actually does, but it turns up loads of pages on a buffer overflow exploit.

Cheers
PS Can you make sure to CC replies direct to me as there seems to be a
glitch somewhere between my ISP and php.net which has been preventing me
receiving list messages since yesterday morning - so it's real quiet here:)
It's no fun following all this via the archives!
--
Phil Driscoll
Dial Solutions
+44 (0)113 294 5112
http://www.dialsolutions.com
http://www.dtonline.org




-- 
PHP Development Mailing List 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP-DEV] PHP script source revealed on windows

2001-01-11 Thread Derick Rethans 

On Thu, 11 Jan 2001, Toby Butzon wrote:

> I remember people talking not to long ago about PHP scripts
> on Windows having their code revealed unpredictably. I also
> remember the thing only seemed to occur on Windows... Has
> any more been discovered/has this been resolved?

The problem for PHP/Apache/Linux has been resolved, this fix will bein the
upcoming 4.0.4pl1.

>
> I ask because I just tripped over an article about IIS5
> revealing script's source if the request followed a certain
> pattern...
> http://www.ntsecurity.net/Articles/Index.cfm?ArticleID=16543
>
> If I'm a day late and a dollar short, excuse me, please ;)
>

Derick Rethans

-
  PHP: Scripting the Web - www.php.net - [EMAIL PROTECTED]
-
JDI Media Solutions - www.jdimedia.nl - [EMAIL PROTECTED]
 H.v. Tussenbroekstraat 1 - 6952 BL Dieren - The Netherlands
-
"Smith & Wesson: The original point-and-click interface."
-


-- 
PHP Development Mailing List 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]