MDKSA-2001:013

Package name

php

Date

2001-01-22

Advisory ID

MDKSA-2001:013

Affected versions

7.2 i586

Problem description

There are two security problems with php4 as shipped in Linux-Mandrake 7.2. It is possible to specify PHP directives on a per-directory basis under Apache and a remote attacker could carefully craft an HTTP request that would cause the next page to be served with the wrong values for these directives. The second problem is that although PHP may be installed, it can be activated and deactivated on a per- directory or per-virtual host basis using the "engine=on" or "engine=off" directive. PHP can "leak" the "engine=off" setting to other virtual hosts on the same machine, effectively disabling PHP for those hosts and resulting in PHP source code being sent to the client instead of being executed on the server. These vulnerabilities are corrected in PHP 4.0.4pl1.

Updated packages

7.2 i586

 f54b0ce745c1903794522b04eba99576  7.2/RPMS/mod_php-4.0.4pl1-1.1mdk.i586.rpm
c39a3f03e58b3234af7f95e0b1ebbb4d  7.2/RPMS/php-4.0.4pl1-1.1mdk.i586.rpm
b74cd72804ec86a6287dcee0c938eb1a  7.2/RPMS/php-dba_gdbm_db2-4.0.4pl1-1.1mdk.i586.rpm
d29d2c054274a98726da22c2fa2e02c6  7.2/RPMS/php-devel-4.0.4pl1-1.1mdk.i586.rpm
c20961189744753ee91a6fd834a937c0  7.2/RPMS/php-gd-4.0.4pl1-1.1mdk.i586.rpm
e9d3312f15355741243450c7d74872d9  7.2/RPMS/php-imap-4.0.4pl1-1.1mdk.i586.rpm
a68b22849371aaf36fa8e3c1d549dbbf  7.2/RPMS/php-ldap-4.0.4pl1-1.1mdk.i586.rpm
ff06eb076f3e8673b39dc5f260320ee7  7.2/RPMS/php-manual-4.0.4pl1-1.1mdk.i586.rpm
70dc4d1e9175a7ec6dfa1647e7db81ba  7.2/RPMS/php-mysql-4.0.4pl1-1.1mdk.i586.rpm
91f93f9f40b4aa44774a35af508ce17a  7.2/RPMS/php-pgsql-4.0.4pl1-1.1mdk.i586.rpm
4f67c0695fa61c1d76f1cba399441398  7.2/RPMS/php-readline-4.0.4pl1-1.1mdk.i586.rpm
81e7aae1084066990f95a82a2fd07d26  7.2/SRPMS/php-4.0.4pl1-1.1mdk.src.rpm