Mandrake Linux Security Advisory : php (MDKSA-2001:013)
Medium Nessus Plugin ID 61887
SynopsisThe remote Mandrake Linux host is missing one or more security updates.
DescriptionThere are two security problems with php4 as shipped in Linux-Mandrake 7.2. It is possible to specify PHP directives on a per-directory basis under Apache and a remote attacker could carefully craft an HTTP request that would cause the next page to be served with the wrong values for these directives. The second problem is that although PHP may be installed, it can be activated and deactivated on a per- directory or per-virtual host basis using the 'engine=on' or 'engine=off' directive. PHP can 'leak' the 'engine=off' setting to other virtual hosts on the same machine, effectively disabling PHP for those hosts and resulting in PHP source code being sent to the client instead of being executed on the server. These vulnerabilities are corrected in PHP 4.0.4pl1.
SolutionUpdate the affected packages.