Mandrake Linux Security Advisory : php (MDKSA-2001:013)

This script is Copyright (C) 2012-2013 Tenable Network Security, Inc.


Synopsis :

The remote Mandrake Linux host is missing one or more security
updates.

Description :

There are two security problems with php4 as shipped in Linux-Mandrake
7.2. It is possible to specify PHP directives on a per-directory basis
under Apache and a remote attacker could carefully craft an HTTP
request that would cause the next page to be served with the wrong
values for these directives. The second problem is that although PHP
may be installed, it can be activated and deactivated on a per-
directory or per-virtual host basis using the 'engine=on' or
'engine=off' directive. PHP can 'leak' the 'engine=off' setting to
other virtual hosts on the same machine, effectively disabling PHP for
those hosts and resulting in PHP source code being sent to the client
instead of being executed on the server. These vulnerabilities are
corrected in PHP 4.0.4pl1.

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Family: Mandriva Local Security Checks

Nessus Plugin ID: 61887 ()

Bugtraq ID:

CVE ID: CVE-2001-0108
CVE-2001-1385

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now