Skip Quicknav

• About Debian
• News
• Getting Debian
• Support
• Developers' Corner
• Site map
• Search

Debian Security Advisory

DSA-020-1 php4 -- remote DOS and remote information leak

Date Reported:

25 Jan 2001

Affected Packages:

php4

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2001-0108, CVE-2001-1385.

More information:

The Zend people have found a vulnerability in older versions of PHP4 (the original advisory speaks of 4.0.4 while the bugs are present in 4.0.3 as well). It is possible to specify PHP directives on a per-directory basis which leads to a remote attacker crafting an HTTP request that would cause the next page to be served with the wrong values for these directives. Also even if PHP is installed, it can be activated and deactivated on a per-directory or per-virtual host basis using the "engine=on" or "engine=off" directive. This setting can be leaked to other virtual hosts on the same machine, effectively disabling PHP for those hosts and resulting in PHP source code being sent to the client instead of being executed on the server.

Fixed in:

Debian 2.2 (potato)

Source:

http://security.debian.org/dists/stable/updates/main/source/php4_4.0.3pl1-0potato1.1.diff.gz

http://security.debian.org/dists/stable/updates/main/source/php4_4.0.3pl1-0potato1.1.dsc

http://security.debian.org/dists/stable/updates/main/source/php4_4.0.3pl1.orig.tar.gz

alpha:

http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-cgi-gd_4.0.3pl1-0potato1.1_alpha.deb

http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-cgi-imap_4.0.3pl1-0potato1.1_alpha.deb

http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-cgi-ldap_4.0.3pl1-0potato1.1_alpha.deb

http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-cgi-mhash_4.0.3pl1-0potato1.1_alpha.deb

http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-cgi-mysql_4.0.3pl1-0potato1.1_alpha.deb

http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-cgi-pgsql_4.0.3pl1-0potato1.1_alpha.deb

http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-cgi-snmp_4.0.3pl1-0potato1.1_alpha.deb

http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-cgi-xml_4.0.3pl1-0potato1.1_alpha.deb

http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-cgi_4.0.3pl1-0potato1.1_alpha.deb

http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-gd_4.0.3pl1-0potato1.1_alpha.deb

http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-imap_4.0.3pl1-0potato1.1_alpha.deb

http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-ldap_4.0.3pl1-0potato1.1_alpha.deb

http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-mhash_4.0.3pl1-0potato1.1_alpha.deb

http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-mysql_4.0.3pl1-0potato1.1_alpha.deb

http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-pgsql_4.0.3pl1-0potato1.1_alpha.deb

http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-snmp_4.0.3pl1-0potato1.1_alpha.deb

http://security.debian.org/dists/stable/updates/main/binary-alpha/php4-xml_4.0.3pl1-0potato1.1_alpha.deb

http://security.debian.org/dists/stable/updates/main/binary-alpha/php4_4.0.3pl1-0potato1.1_alpha.deb

arm:

http://security.debian.org/dists/stable/updates/main/binary-arm/php4-cgi-gd_4.0.3pl1-0potato1.1_arm.deb

http://security.debian.org/dists/stable/updates/main/binary-arm/php4-cgi-imap_4.0.3pl1-0potato1.1_arm.deb

http://security.debian.org/dists/stable/updates/main/binary-arm/php4-cgi-ldap_4.0.3pl1-0potato1.1_arm.deb

http://security.debian.org/dists/stable/updates/main/binary-arm/php4-cgi-mhash_4.0.3pl1-0potato1.1_arm.deb

http://security.debian.org/dists/stable/updates/main/binary-arm/php4-cgi-mysql_4.0.3pl1-0potato1.1_arm.deb

http://security.debian.org/dists/stable/updates/main/binary-arm/php4-cgi-pgsql_4.0.3pl1-0potato1.1_arm.deb

http://security.debian.org/dists/stable/updates/main/binary-arm/php4-cgi-snmp_4.0.3pl1-0potato1.1_arm.deb

http://security.debian.org/dists/stable/updates/main/binary-arm/php4-cgi-xml_4.0.3pl1-0potato1.1_arm.deb

http://security.debian.org/dists/stable/updates/main/binary-arm/php4-cgi_4.0.3pl1-0potato1.1_arm.deb

http://security.debian.org/dists/stable/updates/main/binary-arm/php4-gd_4.0.3pl1-0potato1.1_arm.deb

http://security.debian.org/dists/stable/updates/main/binary-arm/php4-imap_4.0.3pl1-0potato1.1_arm.deb

http://security.debian.org/dists/stable/updates/main/binary-arm/php4-ldap_4.0.3pl1-0potato1.1_arm.deb

http://security.debian.org/dists/stable/updates/main/binary-arm/php4-mhash_4.0.3pl1-0potato1.1_arm.deb

http://security.debian.org/dists/stable/updates/main/binary-arm/php4-mysql_4.0.3pl1-0potato1.1_arm.deb

http://security.debian.org/dists/stable/updates/main/binary-arm/php4-pgsql_4.0.3pl1-0potato1.1_arm.deb

http://security.debian.org/dists/stable/updates/main/binary-arm/php4-snmp_4.0.3pl1-0potato1.1_arm.deb

http://security.debian.org/dists/stable/updates/main/binary-arm/php4-xml_4.0.3pl1-0potato1.1_arm.deb

http://security.debian.org/dists/stable/updates/main/binary-arm/php4_4.0.3pl1-0potato1.1_arm.deb

i386:

http://security.debian.org/dists/stable/updates/main/binary-i386/php4-cgi-gd_4.0.3pl1-0potato1.1_i386.deb

http://security.debian.org/dists/stable/updates/main/binary-i386/php4-cgi-imap_4.0.3pl1-0potato1.1_i386.deb

http://security.debian.org/dists/stable/updates/main/binary-i386/php4-cgi-ldap_4.0.3pl1-0potato1.1_i386.deb

http://security.debian.org/dists/stable/updates/main/binary-i386/php4-cgi-mhash_4.0.3pl1-0potato1.1_i386.deb

http://security.debian.org/dists/stable/updates/main/binary-i386/php4-cgi-mysql_4.0.3pl1-0potato1.1_i386.deb

http://security.debian.org/dists/stable/updates/main/binary-i386/php4-cgi-pgsql_4.0.3pl1-0potato1.1_i386.deb

http://security.debian.org/dists/stable/updates/main/binary-i386/php4-cgi-snmp_4.0.3pl1-0potato1.1_i386.deb

http://security.debian.org/dists/stable/updates/main/binary-i386/php4-cgi-xml_4.0.3pl1-0potato1.1_i386.deb

http://security.debian.org/dists/stable/updates/main/binary-i386/php4-cgi_4.0.3pl1-0potato1.1_i386.deb

http://security.debian.org/dists/stable/updates/main/binary-i386/php4-gd_4.0.3pl1-0potato1.1_i386.deb

http://security.debian.org/dists/stable/updates/main/binary-i386/php4-imap_4.0.3pl1-0potato1.1_i386.deb

http://security.debian.org/dists/stable/updates/main/binary-i386/php4-ldap_4.0.3pl1-0potato1.1_i386.deb

http://security.debian.org/dists/stable/updates/main/binary-i386/php4-mhash_4.0.3pl1-0potato1.1_i386.deb

http://security.debian.org/dists/stable/updates/main/binary-i386/php4-mysql_4.0.3pl1-0potato1.1_i386.deb

http://security.debian.org/dists/stable/updates/main/binary-i386/php4-pgsql_4.0.3pl1-0potato1.1_i386.deb

http://security.debian.org/dists/stable/updates/main/binary-i386/php4-snmp_4.0.3pl1-0potato1.1_i386.deb

http://security.debian.org/dists/stable/updates/main/binary-i386/php4-xml_4.0.3pl1-0potato1.1_i386.deb

http://security.debian.org/dists/stable/updates/main/binary-i386/php4_4.0.3pl1-0potato1.1_i386.deb

m68k:

http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-cgi-gd_4.0.3pl1-0potato1.1_m68k.deb

http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-cgi-imap_4.0.3pl1-0potato1.1_m68k.deb

http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-cgi-ldap_4.0.3pl1-0potato1.1_m68k.deb

http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-cgi-mhash_4.0.3pl1-0potato1.1_m68k.deb

http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-cgi-mysql_4.0.3pl1-0potato1.1_m68k.deb

http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-cgi-pgsql_4.0.3pl1-0potato1.1_m68k.deb

http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-cgi-snmp_4.0.3pl1-0potato1.1_m68k.deb

http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-cgi-xml_4.0.3pl1-0potato1.1_m68k.deb

http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-cgi_4.0.3pl1-0potato1.1_m68k.deb

http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-gd_4.0.3pl1-0potato1.1_m68k.deb

http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-imap_4.0.3pl1-0potato1.1_m68k.deb

http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-ldap_4.0.3pl1-0potato1.1_m68k.deb

http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-mhash_4.0.3pl1-0potato1.1_m68k.deb

http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-mysql_4.0.3pl1-0potato1.1_m68k.deb

http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-pgsql_4.0.3pl1-0potato1.1_m68k.deb

http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-snmp_4.0.3pl1-0potato1.1_m68k.deb

http://security.debian.org/dists/stable/updates/main/binary-m68k/php4-xml_4.0.3pl1-0potato1.1_m68k.deb

http://security.debian.org/dists/stable/updates/main/binary-m68k/php4_4.0.3pl1-0potato1.1_m68k.deb

powerpc:

http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-cgi-gd_4.0.3pl1-0potato1.1_powerpc.deb

http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-cgi-imap_4.0.3pl1-0potato1.1_powerpc.deb

http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-cgi-ldap_4.0.3pl1-0potato1.1_powerpc.deb

http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-cgi-mhash_4.0.3pl1-0potato1.1_powerpc.deb

http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-cgi-mysql_4.0.3pl1-0potato1.1_powerpc.deb

http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-cgi-pgsql_4.0.3pl1-0potato1.1_powerpc.deb

http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-cgi-snmp_4.0.3pl1-0potato1.1_powerpc.deb

http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-cgi-xml_4.0.3pl1-0potato1.1_powerpc.deb

http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-cgi_4.0.3pl1-0potato1.1_powerpc.deb

http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-gd_4.0.3pl1-0potato1.1_powerpc.deb

http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-imap_4.0.3pl1-0potato1.1_powerpc.deb

http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-ldap_4.0.3pl1-0potato1.1_powerpc.deb

http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-mhash_4.0.3pl1-0potato1.1_powerpc.deb

http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-mysql_4.0.3pl1-0potato1.1_powerpc.deb

http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-pgsql_4.0.3pl1-0potato1.1_powerpc.deb

http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-snmp_4.0.3pl1-0potato1.1_powerpc.deb

http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-xml_4.0.3pl1-0potato1.1_powerpc.deb

http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4_4.0.3pl1-0potato1.1_powerpc.deb

sparc:

http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-cgi-gd_4.0.3pl1-0potato1.1_sparc.deb

http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-cgi-imap_4.0.3pl1-0potato1.1_sparc.deb

http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-cgi-ldap_4.0.3pl1-0potato1.1_sparc.deb

http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-cgi-mhash_4.0.3pl1-0potato1.1_sparc.deb

http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-cgi-mysql_4.0.3pl1-0potato1.1_sparc.deb

http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-cgi-pgsql_4.0.3pl1-0potato1.1_sparc.deb

http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-cgi-snmp_4.0.3pl1-0potato1.1_sparc.deb

http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-cgi-xml_4.0.3pl1-0potato1.1_sparc.deb

http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-cgi_4.0.3pl1-0potato1.1_sparc.deb

http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-gd_4.0.3pl1-0potato1.1_sparc.deb

http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-imap_4.0.3pl1-0potato1.1_sparc.deb

http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-ldap_4.0.3pl1-0potato1.1_sparc.deb

http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-mhash_4.0.3pl1-0potato1.1_sparc.deb

http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-mysql_4.0.3pl1-0potato1.1_sparc.deb

http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-pgsql_4.0.3pl1-0potato1.1_sparc.deb

http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-snmp_4.0.3pl1-0potato1.1_sparc.deb

http://security.debian.org/dists/stable/updates/main/binary-sparc/php4-xml_4.0.3pl1-0potato1.1_sparc.deb

http://security.debian.org/dists/stable/updates/main/binary-sparc/php4_4.0.3pl1-0potato1.1_sparc.deb

This page is also available in the following languages:

dansk Deutsch español français 日本語 (Nihongo) svenska

How to set the default document language