PHP could allow remote viewing of source code

php-view-source-code (5939) The risk level is classified as LowLow Risk


PHP could allow a remote attacker to view the source code of PHP scripts if multiple virtual hosts are configured on a single Web server. PHP is a server-side scripting language for creating dynamic Web sites. If the parameter "engine=off" is configured on just one of the virtual hosts to disable PHP execution, it may disable PHP execution on other virtual hosts on the same server. A remote attacker can use this vulnerability to view the source code for the PHP page, which may contain sensitive information.


Obtain Information


Upgrade to the latest version of PHP (4.0.4pl1 or later), available from the PHP Downloads Web site. See References.

For Linux-Mandrake 7.2:
Upgrade to the latest version of mod_php (4.0.4pl1-1 or later), as listed in MandrakeSoft Security Advisory MDKSA-2001:013 : php. See References.

For Red Hat Linux 2.2:
Upgrade to the latest version of php (3.0.18-1.5 or later), as listed in RHSA-2000-136-10. See References.

For Debian Linux 2.2 (potato):
Upgrade to the latest version of php4 (4.0.3pl1-0potato1.1 or later), as listed in Debian Linux Security Advisory DSA-020-1. See References.

For Conectiva OpenLinux 6.0:
Upgrade to the latest version of php4 (4.0.4pl1-1cl or later), as listed in Conectiva Linux Security Announcement CLA-2001:373. See References.

For other distributions:
Contact your vendor for upgrade or patch information.


Platforms Affected:

  • Conectiva Linux 6.0
  • Debian Debian Linux 2.2
  • MandrakeSoft Mandrake Linux 7.2
  • PHP PHP 4.0 RC2
  • PHP PHP 4.0 Beta1
  • PHP PHP 4.0 Beta 4 Patch1
  • PHP PHP 4.0 Beta3
  • PHP PHP 4.0 Beta4
  • PHP PHP 4.0 RC1
  • PHP PHP 4.0 Beta2
  • PHP PHP 4.0.0
  • PHP PHP 4.0.1
  • PHP PHP 4.0.2
  • PHP PHP 4.0.3
  • PHP PHP 4.0.4
  • RedHat Linux 5.2
  • RedHat Linux 6.0
  • RedHat Linux 6.2
  • RedHat Linux 7
  • RedHat Linux 7.1
  • RedHat Linux 7.2
  • RedHat Linux 7.3


Jan 12, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page