Home > Security > Advisories


Mandriva Advisories

Package name php
Date January 22nd, 2001
Advisory ID MDKSA-2001:013
Affected versions 7.2
Synopsis Updated php packages fix insecurities with php directives

Problem Description

There are two security problems with php4 as shipped in Linux-Mandrake
7.2. It is possible to specify PHP directives on a per-directory basis
under Apache and a remote attacker could carefully craft an HTTP
request that would cause the next page to be served with the wrong
values for these directives. The second problem is that although PHP
may be installed, it can be activated and deactivated on a per-
directory or per-virtual host basis using the "engine=on" or
"engine=off" directive. PHP can "leak" the "engine=off" setting to
other virtual hosts on the same machine, effectively disabling PHP for
those hosts and resulting in PHP source code being sent to the client
instead of being executed on the server. These vulnerabilities are
corrected in PHP 4.0.4pl1.

Updated Packages

Mandrakelinux 7.2

 f54b0ce745c1903794522b04eba99576  7.2/RPMS/mod_php-4.0.4pl1-1.1mdk.i586.rpm
c39a3f03e58b3234af7f95e0b1ebbb4d  7.2/RPMS/php-4.0.4pl1-1.1mdk.i586.rpm
b74cd72804ec86a6287dcee0c938eb1a  7.2/RPMS/php-dba_gdbm_db2-4.0.4pl1-1.1mdk.i586.rpm
d29d2c054274a98726da22c2fa2e02c6  7.2/RPMS/php-devel-4.0.4pl1-1.1mdk.i586.rpm
c20961189744753ee91a6fd834a937c0  7.2/RPMS/php-gd-4.0.4pl1-1.1mdk.i586.rpm
e9d3312f15355741243450c7d74872d9  7.2/RPMS/php-imap-4.0.4pl1-1.1mdk.i586.rpm
a68b22849371aaf36fa8e3c1d549dbbf  7.2/RPMS/php-ldap-4.0.4pl1-1.1mdk.i586.rpm
ff06eb076f3e8673b39dc5f260320ee7  7.2/RPMS/php-manual-4.0.4pl1-1.1mdk.i586.rpm
70dc4d1e9175a7ec6dfa1647e7db81ba  7.2/RPMS/php-mysql-4.0.4pl1-1.1mdk.i586.rpm
91f93f9f40b4aa44774a35af508ce17a  7.2/RPMS/php-pgsql-4.0.4pl1-1.1mdk.i586.rpm
4f67c0695fa61c1d76f1cba399441398  7.2/RPMS/php-readline-4.0.4pl1-1.1mdk.i586.rpm
81e7aae1084066990f95a82a2fd07d26  7.2/SRPMS/php-4.0.4pl1-1.1mdk.src.rpm


To upgrade automatically, use MandrivaUpdate.


Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.