ID: 25753
Comment by: rover at tob dot ru
Reported By: [EMAIL PROTECTED]
Status: Closed
Bug Type: Apache related
Operating System: *
PHP Version: 4CVS, 5CVS
New Comment:
Anyway - in some case this can lead to security violation.
Apache2 module are vulnerable to this bug?
Previous Comments:
------------------------------------------------------------------------
[2004-01-28 12:40:04] [EMAIL PROTECTED]
This only happens on text/html files with the executable bit set. If
the +x bit is set, we load the current ini settings and if php's
xbithack option is not set we decline the request but forget to reset
the ini settings potentially leaking them to the next request. This is
now fixed in CVS and will be in the next release of both PHP4 and PHP5.
------------------------------------------------------------------------
[2004-01-28 00:47:04] rover at tob dot ru
We examine source files more carefull and remake a patch:
diff -udr php-4.3.3/sapi/apache/mod_php4.c
php-4.3.3.patched/sapi/apache/mod_php4.c
--- php-4.3.3/sapi/apache/mod_php4.c 2003-06-03 11:41:49.000000000
+0600
+++ php-4.3.3.patched/sapi/apache/mod_php4.c 2004-01-28
10:48:27.000000000 +0500
@@ -830,6 +830,9 @@
}
if(!AP(xbithack)) {
r->allowed |= (1 << METHODS) - 1;
+ zend_try {
+ zend_ini_deactivate(TSRMLS_C);
+ } zend_end_try();
return DECLINED;
}
return send_parsed_php(r);
------------------------------------------------------------------------
[2004-01-27 16:08:12] rover at tob dot ru
2 hour later....
We analyze this bug more carefully.
THIS BUG VERY CRITICAL AND HAVE HUGE SECURITY IMPACT!
message with explanation are sent to [EMAIL PROTECTED],
[EMAIL PROTECTED]
------------------------------------------------------------------------
[2004-01-27 14:20:05] rover at tob dot ru
Latest patch have a disadvantage: seems options like 'php_value engine
on' now doesn't working in .htaccess directives. But now i don't have
such annoying errors as early. Wait for developer solution. :)
------------------------------------------------------------------------
[2004-01-27 13:55:50] rover at tob dot ru
You can try this patch: (applied to 4.3.3, 4.3.4 and 4.3.5RC1
versions):
#patch -p1 -d source_dir_of_php < patch.diff
diff -udr php-4.3.3/sapi/apache/mod_php4.c
php-4.3.3.patched/sapi/apache/mod_php4.c
--- php-4.3.3/sapi/apache/mod_php4.c 2003-06-03 11:41:49.000000000
+0600
+++ php-4.3.3.patched/sapi/apache/mod_php4.c 2004-01-27
23:59:26.000000000 +0500
@@ -559,6 +559,11 @@
return DECLINED;
}
+ /* Restore default ini settings */
+ zend_try {
+ zend_ini_deactivate(TSRMLS_C);
+ } zend_end_try();
+
per_dir_conf = (HashTable *)
get_module_config(r->per_dir_config, &php4_module);
if (per_dir_conf) {
zend_hash_apply((HashTable *) per_dir_conf,
(apply_func_t) php_apache_alter_ini_entries TSRMLS_C
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/25753
--
Edit this bug report at http://bugs.php.net/?id=25753&edit=1
