Mandrake Linux Security Advisory : php (MDKSA-2001:013)

Medium Nessus Plugin ID 61887


The remote Mandrake Linux host is missing one or more security updates.


There are two security problems with php4 as shipped in Linux-Mandrake 7.2. It is possible to specify PHP directives on a per-directory basis under Apache and a remote attacker could carefully craft an HTTP request that would cause the next page to be served with the wrong values for these directives. The second problem is that although PHP may be installed, it can be activated and deactivated on a per- directory or per-virtual host basis using the 'engine=on' or 'engine=off' directive. PHP can 'leak' the 'engine=off' setting to other virtual hosts on the same machine, effectively disabling PHP for those hosts and resulting in PHP source code being sent to the client instead of being executed on the server. These vulnerabilities are corrected in PHP 4.0.4pl1.


Update the affected packages.

Plugin Details

Severity: Medium

ID: 61887

File Name: mandrake_MDKSA-2001-013.nasl

Version: $Revision: 1.3 $

Type: local

Published: 2012/09/06

Modified: 2013/05/31

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:mod_php, p-cpe:/a:mandriva:linux:php, p-cpe:/a:mandriva:linux:php-dba_gdbm_db2, p-cpe:/a:mandriva:linux:php-devel, p-cpe:/a:mandriva:linux:php-gd, p-cpe:/a:mandriva:linux:php-imap, p-cpe:/a:mandriva:linux:php-ldap, p-cpe:/a:mandriva:linux:php-manual, p-cpe:/a:mandriva:linux:php-mysql, p-cpe:/a:mandriva:linux:php-pgsql, p-cpe:/a:mandriva:linux:php-readline, cpe:/o:mandrakesoft:mandrake_linux:7.2

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Patch Publication Date: 2001/01/22

Reference Information

CVE: CVE-2001-0108, CVE-2001-1385

MDKSA: 2001:013