PHP could allow remote viewing of source code
|php-view-source-code (5939)||Low Risk|
PHP could allow a remote attacker to view the source code of PHP scripts if multiple virtual hosts are configured on a single Web server. PHP is a server-side scripting language for creating dynamic Web sites. If the parameter "engine=off" is configured on just one of the virtual hosts to disable PHP execution, it may disable PHP execution on other virtual hosts on the same server. A remote attacker can use this vulnerability to view the source code for the PHP page, which may contain sensitive information.
Upgrade to the latest version of PHP (4.0.4pl1 or later), available from the PHP Downloads Web site. See References.
For Linux-Mandrake 7.2:
Upgrade to the latest version of mod_php (4.0.4pl1-1 or later), as listed in MandrakeSoft Security Advisory MDKSA-2001:013 : php. See References.
For Red Hat Linux 2.2:
Upgrade to the latest version of php (3.0.18-1.5 or later), as listed in RHSA-2000-136-10. See References.
For Debian Linux 2.2 (potato):
Upgrade to the latest version of php4 (4.0.3pl1-0potato1.1 or later), as listed in Debian Linux Security Advisory DSA-020-1. See References.
For Conectiva OpenLinux 6.0:
Upgrade to the latest version of php4 (4.0.4pl1-1cl or later), as listed in Conectiva Linux Security Announcement CLA-2001:373. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
- BugTraq Mailing List, Fri Jan 12 2001 - 13:14:10 CST: PHP Security Advisory - Apache Module bugs.
- Conectiva Linux Announcement CLSA-2001:373: php4.
- MandrakeSoft Security Advisory MDKSA-2001:013: php.
- PHP Downloads Web site: Downloads.
- BID-2205: PHP Engine Disable Source Viewing Vulnerability
- CVE-2001-1385: The Apache module for PHP 4.0.0 through PHP 4.0.4, when disabled with the 'engine = off' option for a virtual host, may disable PHP for other virtual hosts, which could cause Apache to serve the source code of PHP scripts.
- DSA-020: php4 -- remote DOS and remote information leak
- OSVDB ID: 5425: PHP mod_php Virtual Host Source Code Exposure
- RHSA-2000-136: Updated PHP packages available for Red Hat Linux 5.2
- Conectiva Linux 6.0
- Debian Debian Linux 2.2
- MandrakeSoft Mandrake Linux 7.2
- PHP PHP 4.0 RC2
- PHP PHP 4.0 Beta1
- PHP PHP 4.0 Beta 4 Patch1
- PHP PHP 4.0 Beta3
- PHP PHP 4.0 Beta4
- PHP PHP 4.0 RC1
- PHP PHP 4.0 Beta2
- PHP PHP 4.0.0
- PHP PHP 4.0.1
- PHP PHP 4.0.2
- PHP PHP 4.0.3
- PHP PHP 4.0.4
- RedHat Linux 5.2
- RedHat Linux 6.0
- RedHat Linux 6.2
- RedHat Linux 7
- RedHat Linux 7.1
- RedHat Linux 7.2
- RedHat Linux 7.3
Jan 12, 2001
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this