Bug#341346: libapache2-mod-php4: mod-php should be configured to use a Apache handler

Tue, 29 Nov 2005 21:03:08 -0800 

Package: libapache2-mod-php4
Version: 4:4.3.10-16
Severity: normal

An extract from libapache2-mod-security documentation states the problem better
than I can explain:

"In Apache theory, a response to a request is generated by a
so-called handler. If there is a handler attached to a request it
should be considered to be of a dynamic nature. In practice, however,
Apache can be configured to server dynamic pages without a handler
(it then chooses the module based on the resource MIME type). This will
happen, for example, if you configure PHP as instructed in the main
distribution:

        AddType application/x-httpd-php .php

While this works, it isn't entirely correct. However, if you replace the
above line with the following:

        AddHandler application/x-httpd-php .php
        
PHP will work just as well, Apache will have a handler assigned to the
request, and audit logger will be able to log selectively."

So, changing the /etc/apache2/mods-available/php4.conf file to be:

<IfModule mod_php4.c>
  AddHandler application/x-httpd-php .php .phtml .php3
  AddHandler application/x-httpd-php-source .phps
</IfModule>

will allow libapache2-mod-security to audit and protect PHP pages.

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=fr_CA, LC_CTYPE=fr_CA (charmap=ISO-8859-1)

Versions of packages libapache2-mod-php4 depends on:
ii  apache2-mpm-prefork    2.0.54-5          traditional model for Apache2
ii  libbz2-1.0             1.0.2-7           high-quality block-sorting file co
ii  libc6                  2.3.2.ds1-22      GNU C Library: Shared libraries an
ii  libcomerr2             1.37-2sarge1      common error description library
ii  libdb4.2               4.2.52-18         Berkeley v4.2 Database Libraries [
ii  libexpat1              1.95.8-3          XML parsing C library - runtime li
ii  libkrb53               1.3.6-2sarge2     MIT Kerberos runtime libraries
ii  libmagic1              4.12-1            File type determination library us
ii  libpcre3               4.5-1.2sarge1     Perl 5 Compatible Regular Expressi
ii  libssl0.9.7            0.9.7e-3sarge1    SSL shared libraries
ii  libzzip-0-12           0.12.83-4         library providing read access on Z
ii  mime-support           3.28-1            MIME files 'mime.types' & 'mailcap
ii  php4-common            4:4.3.10-16       Common files for packages built fr
ii  zlib1g                 1:1.2.2-4.sarge.2 compression library - runtime

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to