Debians sikkerhedsbulletin

DSA-020-1 php4 -- fjern-overbelastningsangreb og fjern-informationslæk

Rapporteret den:
25. jan 2001
Berørte pakker:
php4
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Mitres CVE-ordbog: CVE-2001-0108, CVE-2001-1385.
Yderligere oplysninger:
Zend-folkene har fundet en sårbarhed i ældre versioner af PHP4 (det originale bulletin nævner 4.0.4 mens fejlene også findes i version 4.0.3). Det er muligt at angive PHP-direktiver pr. mappe, hvilket kan resultere i at en fjernangriber fremstiller en HTTP-forespørgsel der kan få den næste side der vises, til at blive sendt med de forkerte direktivværdier. Desuden, hvis PHP er installeret, kan det slås fra eller til pr. mappe eller pr. virtuel host ved hjælp af direktiverne "engine=on" og "engine=off". Denne indstilling kan lækkes til andre virtuelle hosts på den samme maskine, og dermed slå PHP fra i disse hosts, med det resultat at PHP-kildekoden sendes til klienten i stedet for at blive udført af serveren.
Rettet i:

Debian 2.2 (potato)

Kildekode:
http://security.debian.org/dists/stable/updates/main/source/php4_4.0.3pl1-0potato1.1.diff.gz
http://security.debian.org/dists/stable/updates/main/source/php4_4.0.3pl1-0potato1.1.dsc
http://security.debian.org/dists/stable/updates/main/source/php4_4.0.3pl1.orig.tar.gz
alpha:
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-cgi-gd_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-cgi-imap_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-cgi-ldap_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-cgi-mhash_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-cgi-mysql_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-cgi-pgsql_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-cgi-snmp_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-cgi-xml_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-cgi_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-gd_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-imap_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-ldap_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-mhash_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-mysql_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-pgsql_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-snmp_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-xml_4.0.3pl1-0potato1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/php4_4.0.3pl1-0potato1.1_alpha.deb
arm:
http://security.debian.org/dists/stable/updates/main/binary-arm/php4-cgi-gd_4.0.3pl1-0potato1.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/php4-cgi-imap_4.0.3pl1-0potato1.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/php4-cgi-ldap_4.0.3pl1-0potato1.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/php4-cgi-mhash_4.0.3pl1-0potato1.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/php4-cgi-mysql_4.0.3pl1-0potato1.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/php4-cgi-pgsql_4.0.3pl1-0potato1.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/php4-cgi-snmp_4.0.3pl1-0potato1.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/php4-cgi-xml_4.0.3pl1-0potato1.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/php4-cgi_4.0.3pl1-0potato1.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/php4-gd_4.0.3pl1-0potato1.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/php4-imap_4.0.3pl1-0potato1.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/php4-ldap_4.0.3pl1-0potato1.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/php4-mhash_4.0.3pl1-0potato1.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/php4-mysql_4.0.3pl1-0potato1.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/php4-pgsql_4.0.3pl1-0potato1.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/php4-snmp_4.0.3pl1-0potato1.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/php4-xml_4.0.3pl1-0potato1.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/php4_4.0.3pl1-0potato1.1_arm.deb
i386:
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-cgi-gd_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-cgi-imap_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-cgi-ldap_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-cgi-mhash_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-cgi-mysql_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-cgi-pgsql_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-cgi-snmp_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-cgi-xml_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-cgi_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-gd_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-imap_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-ldap_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-mhash_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-mysql_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-pgsql_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-snmp_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4-xml_4.0.3pl1-0potato1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/php4_4.0.3pl1-0potato1.1_i386.deb
m68k:
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-cgi-gd_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-cgi-imap_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-cgi-ldap_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-cgi-mhash_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-cgi-mysql_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-cgi-pgsql_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-cgi-snmp_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-cgi-xml_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-cgi_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-gd_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-imap_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-ldap_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-mhash_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-mysql_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-pgsql_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-snmp_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-xml_4.0.3pl1-0potato1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/php4_4.0.3pl1-0potato1.1_m68k.deb
powerpc:
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-cgi-gd_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-cgi-imap_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-cgi-ldap_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-cgi-mhash_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-cgi-mysql_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-cgi-pgsql_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-cgi-snmp_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-cgi-xml_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-cgi_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-gd_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-imap_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-ldap_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-mhash_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-mysql_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-pgsql_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-snmp_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-xml_4.0.3pl1-0potato1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4_4.0.3pl1-0potato1.1_powerpc.deb
sparc:
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-cgi-gd_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-cgi-imap_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-cgi-ldap_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-cgi-mhash_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-cgi-mysql_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-cgi-pgsql_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-cgi-snmp_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-cgi-xml_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-cgi_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-gd_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-imap_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-ldap_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-mhash_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-mysql_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-pgsql_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-snmp_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-xml_4.0.3pl1-0potato1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/php4_4.0.3pl1-0potato1.1_sparc.deb