--------------------------------------------------------------------------
Turbolinux Security Advisory TLSA-2002-10
http://www/turbolinux.co.jp/security/
security-team@turbolinux.co.jp
--------------------------------------------------------------------------
Php
Acquisition of PHP Setting information
Release date : 2002-02-21
Object package : php-4.1.1-4
php-3.0.18-8jaJP
Problem
There is a possibility of an unauthorized user acquiring the setting information of setting of the PHP by giving the character string of the browser specification.
Solution:
Please verify version and execute the command below.
From php-4.1.1-4 and php-3.0.18-8jacJp version before in case of use
" Display_errors " of /etc/httpd/php.ini or /etc/httpd/php3.ini OFF.
# rpm -qa | grep php
[ /etc/httpd/php.ini ]
--------------------------
Display_errors = ON
Display_errors = OFF
--------------------------
Furthermore, please read and execute the package number which corresponds to your version number.
< Turbolinux 7 Server >
< Turbolinux 7 Workstation >
# rpm -Uvh php-4.1.1-4.i586.rpm \
php-imap-4.1.1-4.i586.rpm \
php-ldap-4.1.1-4.i586.rpm \
php-manual-4.1.1-4.i586.rpm \
php-mysql-4.1.1-4.i586.rpm \
php-pgsql-4.1.1-4.i586.rpm
< Turbolinux Server 6.5 >
< Turbolinux Advanced Server 6 >
< Turbolinux Server 6.1 >
< Turbolinux Workstation 6.0 >
# rpm -Uvh php-3.0.18-8jaJP.i386.rpm \
php-imap-3.0.18-8jaJP.i386.rpm \
php-ldap-3.0.18-8jaJP.i386.rpm \
php-manual-3.0.18-8jaJP.i386.rpm \
php-mysql-3.0.18-8jaJP.i386.rpm \
php-pgsql-3.0.18-8jaJP.i386.rpm \
cyrus-sasl-1.5.24-15.i386.rpm \
cyrus-sasl-devel-1.5.24-15.i386.rpm
* When the MycSql, the openldap and the postgresql are used, update may be necessary.
Package updates:
http://www.turbolinux.co.jp/update/
