From: phpbugrep-20050204 at pgregg dot com Operating system: All PHP version: Irrelevant PHP Bug Type: *Web Server problem Bug description: ini value settings maintaining state between requests
Description: ------------ SECURITY ALERT: Related to: http://bugs.php.net/bug.php?id=28729 http://bugs.php.net/bug.php?id=27110 (First the rant) This isn't the same bug... and to be honest I'm getting quite pissed at the amount of times a bug is reported only to be closed as Bogus because dev can't be arsed to look into it. This just results in people not bothering to report bugs. In this case, the auto_prepend_file and auto_append_file values are not reset between requests. Thus one change in a .htaccess file results in the change lingering on for the next request (perhaps even on a different vhost). This could be a very nasty security issue because it lets me, in a web hotel, insert code into other people websites, such as emailing me $GLOBALS so I could extract credit card details, etc. I believe the fix is in main/main.c (in 5.0.3) in php_module_startup() to add: PG(auto_prepend_file) = NULL; PG(auto_append_file) = NULL; The same will be the case in the 4.x tree. The same should be true for other "leaking" values. As a workaround setting the Apache MaxRequests to 1 will result in a fresh apache and as a result a fresh php. The hit is poor performance. -- Edit bug report at http://bugs.php.net/?id=31844&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=31844&r=trysnapshot4 Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=31844&r=trysnapshot50 Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=31844&r=trysnapshot51 Fixed in CVS: http://bugs.php.net/fix.php?id=31844&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=31844&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=31844&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=31844&r=needscript Try newer version: http://bugs.php.net/fix.php?id=31844&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=31844&r=support Expected behavior: http://bugs.php.net/fix.php?id=31844&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=31844&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=31844&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=31844&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=31844&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=31844&r=dst IIS Stability: http://bugs.php.net/fix.php?id=31844&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=31844&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=31844&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=31844&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=31844&r=mysqlcfg
