Hello dear friends.
I found this little tidbit on the O'Reilly.net network regarding PHP and Apache. thought you would all like to know, yes its dated Feb 24/03.
"mod_php
Version 4.3.0 of the Apache PHP module mod_php contains a bug in the code that handles the command line option --enable-force-cgi-redirect and the php.ini option cgi.force_redirect. An attacker can exploit this bug to arbitrarily access any file on the system that is readable by the user running the web server. Under some conditions, the attacker may be able to execute arbitrary PHP code if they can inject it into a file readable by the web server (for example, the web server's log files).
The PHP Group has released version 4.3.1 of PHP. Users of binary packages should watch their vendor for an update and should consider disabling mod_php until it has been repaired. "
I found this little tidbit on the O'Reilly.net network regarding PHP and Apache. thought you would all like to know, yes its dated Feb 24/03.
"mod_php
Version 4.3.0 of the Apache PHP module mod_php contains a bug in the code that handles the command line option --enable-force-cgi-redirect and the php.ini option cgi.force_redirect. An attacker can exploit this bug to arbitrarily access any file on the system that is readable by the user running the web server. Under some conditions, the attacker may be able to execute arbitrary PHP code if they can inject it into a file readable by the web server (for example, the web server's log files).
The PHP Group has released version 4.3.1 of PHP. Users of binary packages should watch their vendor for an update and should consider disabling mod_php until it has been repaired. "
