PHP setting leaks from .htaccess files on virtual hosts
| Package(s): | php |
CVE #(s): | |
| Created: | February 9, 2004 |
Updated: | February 12, 2004 |
| Description: |
If the server configuration "php.ini" file has "register_globals = on"
and a request is made to one virtual host (which has "php_admin_flag
register_globals off") and the next request is sent to the another
virtual host (which does not have the setting) through the same Apache
child, the setting will persist.
Depending on the server and site, an attacker may be able to exploit
global variables to gain access to reserved areas, such as MySQL
passwords, or this vulnerability may simply cause a lack of
functionality. As a result, users are urged to upgrade their PHP
installations. |
| Alerts: |
|
