Bugtraq mailing list archives
Re: PHP Security Advisory - Apache Module bugs
From: James Moore <jmoore () PHP NET>
Date: Tue, 16 Jan 2001 20:40:02 -0000
On 12/Jan/2001, Zeev Suraski wrote:[2] PHP supports the ability to be installed, and yet disabled,by settingthe configuration option 'engine = off'. Due to a bug in theApache moduleversion of PHP, if one or more virtual hosts within a singleApache serverwere configured with engine=off, this value could 'propagate' to other virtual hosts. Because setting this option to 'off' disablesexecution of I've been using for some months this settings (php default off, and then enabling it in the virtualdomains that I want) and I've had no problem at all ... Are there any more known circumstances when it happens ??
OK what could happen in your system is that the php engine could be turned on for some hosts you did not want it to be turned on for, this case was not tested for by the QA team. It all depends on where you set your engine off. Case 1: If you have set it off in the php.ini file then some of the virtual servers you did not want to have the PHP engine on for could infact have the engine turned on. Case 2: If you have set the option using php_value engine off in your default (main) server configuration in httpd.conf then your setup will not be effected. If you do find your setup is effected in this way then you can use the reverse of Zeev's work around and place the line php_value engine off in your main server configuration section of your httpd.conf James -- James Moore PHP Quality Assurance Team jmoore () php net
Current thread:
- Re: PHP Security Advisory - Apache Module bugs Javi Polo (Jan 16)
- Re: PHP Security Advisory - Apache Module bugs Matthew Keller (Jan 16)
- Re: PHP Security Advisory - Apache Module bugs James Moore (Jan 16)