PHP virtual host information disclosure

php-virtualhost-info-disclosure (15072)

Medium Risk

Description:

PHP when running on an Apache HTTP Server that has been configured as a virtual host, could allow a remote attacker to obtain sensitive information. If the register_globals option is enabled in the php.ini file of the Apache HTTP Server, a remote attacker could send a specially-crafted HTTP request to a virtual host and then send a second HTTP request to a different virtual host, but with the same Apache child process, to cause the php_admin_* settings from the first virtual host to be applied to the second virtual host. This could cause the server to leak global variables, which would allow the attacker to obtain sensitive information.

Platforms Affected:

• Gentoo, Linux
• PHP, PHP 4.0 Beta4
• PHP, PHP 4.0 Beta3
• PHP, PHP 4.0 Beta2
• PHP, PHP 4.0 RC1
• PHP, PHP 4.0 Beta1
• PHP, PHP 4.0 RC2
• PHP, PHP 4.0 Beta 4 Patch1
• PHP, PHP 4.0.0
• PHP, PHP 4.0.1
• PHP, PHP 4.0.2
• PHP, PHP 4.0.3
• PHP, PHP 4.0.4
• PHP, PHP 4.0.5
• PHP, PHP 4.0.6
• PHP, PHP 4.0.7
• PHP, PHP 4.1.0
• PHP, PHP 4.1.1
• PHP, PHP 4.1.2
• PHP, PHP 4.1.3
• PHP, PHP 4.2.0
• PHP, PHP 4.2.1
• PHP, PHP 4.2.2
• PHP, PHP 4.2.3
• PHP, PHP 4.2.4
• PHP, PHP 4.3.0
• PHP, PHP 4.3.1
• PHP, PHP 4.3.2
• PHP, PHP 4.3.3
• PHP, PHP 4.3.4

Remedy:

Upgrade to the latest CVS version of PHP (dated 2004-01-28 or later), from the PHP Web site. See References.

For Gentoo Linux:
Upgrade to the latest mod_php package (4.3.4-r4 or later), as listed in the GLSA 200402-01. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Obtain Information

References:

• GLSA 200402-01, PHP setting leaks from .htaccess files on virtual hosts at http://archives.neohapsis.com/archives/fulldisclosure/2004-02/0310.html.
• PHP Web site, php_value|flag / php_admin_* settings "leak" from vhosts/.htaccess files at http://bugs.php.net/bug.php?id=25753.
• BID-9599: Apache mod_php Global Variables Information Disclosure Weakness
• BID-960: Debian GNU/Linux MBR Vulnerability
• CVE-2004-0263: PHP 4.3.4 and earlier in Apache 1.x and 2.x (mod_php) can leak global variables between virtual hosts that are handled by the same Apache child process but have different settings, which could allow remote attackers to obtain sensitive information.
• GLSA-200402-01: PHP setting leaks from .htaccess files on virtual hosts
• OSVDB ID: 3878: PHP Virtual Host Configuration Information Disclosure

Reported:

Oct 04, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page